Method to read files with PHP
Web Shell
GET /example/exploit.php?command=id HTTP/1.1
Goal: Retrieve the contents of /home/carlos/secret
Issue with the site is that there is no filtering on what is uploaded. This allows us to upload a malicious .php file.
Create exploit.php and upload as the avatar.
Image is requested using a GET request to the exploit. This exploit runs a command on the local server.
The secret: MWUbCZZgorWFyHItyinxM1Tj1RX4bROd is outputted in the response. Viewable in Repeter if you resend the request.
Submit solution to solve lab