June 30, 2016 Karn Ganeshen

Exploit Exercises – nebula level09

Exploit Exercises – nebula level09

 

flag09 reads the file supplied as arg1. We also need to supply a second arg but it is not used. If we do not supply arg2, an error is thrown but file specified by arg1 is still read.
 

 

After trial & error, found the correct syntax that flag09 accepts.
    [email $phpinfo()]
This makes flag09 treat the phpinfo() as a valid variable – but throws an error.
 

Success – 0.1 – found correct syntax to get phpinfo() executed ->
    [email {${phpinfo()}}]
 

 

Success – using php’s exec() method to execute getflag/id
    [email {${exec(id)}}]

+++++

Tagged: ,

Leave a Reply

Your email address will not be published. Required fields are marked *