Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
- The first evidence of this vulnerability was when the code include $_REQUEST['target'] was found. This says to include a file that is coming directly from a parameter!
- Next, there is a filter. First, it checks for a valid page path and if the file is not import.php or export.php. By double URL encoding the question mark in the path, any file can be called!
- In order to turn this into an RCE, we need to make an SQL query, "select '<?php phpinfo();exit;?>' ". This will be written to the database file, which makes it callable!
- Additional link for exploitation: ChaMd5 Security Team.
