When we land on a page, we see a gif,some text,timer and a button.
When we click on the button, url changes:
What if we change that r to something else?for example ‘hello’.
Text changed!
Now let’s check code from downloaded files.
I came across this if statement in router.php file and it checks for strings.If uri contains it, we get an error.
Now back to the website.
What can we write instead of ‘r’ so that we get web shell?
what is a web shell and why do we need it?
web shell is a script that makes us able to gain access remote shell access to web server’s operating system.in this case we need it so we can get flag that is located in web server’s system.
now back to our question.well… there is a function called system()
system()
accepts command as parameter and outputs the result.
We can pass it command ‘ls -la’ as an argument and get a list of files and folders.But since we can’t use strings, we have to think of other way to use this function.
What if we can pass an argument and then give that argument command as a value so that we don’t use strings?
Parameter: ${system($_GET[cmd])}&cmd=ls
Its same as ${system($_GET[ls])}
We got files/folders!
We have same files but in downloaded web_loveTok/challenge folder.
We can see the flag file in web_loveTok folder but this one is for testing.We can get the real one through web shell.
So to get the flag, we should move up one folder and list files.
command: ls ../
ls — list files
../ — one level up from the current folder.
We got the flag name!!In my case flag file’s name is flagmRG8b. But yours will have different.Let’s get that flag by command:
cat ../flagmRG8b
cat — get file
../flagmRG8b —The “flagmRG8b” file is located in the folder one level up from the current folder.
and here is our flag!!!
