(June 19, 2022, 01:36 AM)netrise Wrote: login url with Enemigosss:SuperGucciRainbowCake
there is an LFI /index.php?page=
the index page uses the php code ==>  <?php include $page.'.php' ?>
i don't know how to by pass the .php suffix

Its hella slow, but I'm able to use the sql injection point to read local files using queries like:  select load_file('/var/www/payroll/index.php');

i read the contents of admin_class.php unteresting things and i found this
function logout2(){
session_destroy();
foreach ($_SESSION as $key => $value) {
unset($_SESSION[$key]);
}
header("location:../index.php");
}
means there is a subfolder under /var/www/payroll/

(June 19, 2022, 05:10 AM)netrise Wrote: i read the contents of admin_class.php unteresting things and i found this
function logout2(){
session_destroy();
foreach ($_SESSION as $key => $value) {
unset($_SESSION[$key]);
}
header("location:../index.php");
}
means there is a subfolder under /var/www/payroll/

How did you read local files?
Which sqli command did you use?
Getting errors reading file

(June 19, 2022, 04:11 AM)ryzen Wrote:

(June 19, 2022, 01:36 AM)netrise Wrote: login url with Enemigosss:SuperGucciRainbowCake
there is an LFI /index.php?page=
the index page uses the php code ==>  <?php include $page.'.php' ?>
i don't know how to by pass the .php suffix

Its hella slow, but I'm able to use the sql injection point to read local files using queries like:  select load_file('/var/www/payroll/index.php');

This works:
http://preprod-payroll.trick.htb/index.php?page=php://filter/convert.base64-encode/resource=index

New password: TrulyImpossiblePasswordLmao123
A secret action: http://preprod-payroll.trick.htb/ajax.php?action=save_settings
Here we can upload files

(June 19, 2022, 06:12 AM)fironeDerbert Wrote: New password: TrulyImpossiblePasswordLmao123
A secret action: http://preprod-payroll.trick.htb/ajax.php?action=save_user
Here we can upload files

Did you mean preprod-payroll.trick.htb/ajax.php?action=save_settings ? I've tried using it to upload a PHP shell but it seems the assets/img/ folder has no write access and you can't traverse directories when uploading, have you gotten anywhere with it?

(June 19, 2022, 06:59 AM)MethEnjoyer Wrote:

(June 19, 2022, 06:12 AM)fironeDerbert Wrote: New password: TrulyImpossiblePasswordLmao123
A secret action: http://preprod-payroll.trick.htb/ajax.php?action=save_user
Here we can upload files

Did you mean preprod-payroll.trick.htb/ajax.php?action=save_settings ? I've tried using it to upload a PHP shell but it seems the assets/img/ folder has no write access and you can't traverse directories when uploading, have you gotten anywhere with it?

oops ye it's save_settings and I don't get anything yet

If it is save_settings, is there any way we can bypass this to upload a shell? (unable to directory traversal with the file name)[code]Warning: move_uploaded_file(assets/img/1655626740_shell.php): failed to open stream: Permission denied in /var/www/payroll/admin_class.php on line 108

Warning: move_uploaded_file(): Unable to move '/tmp/phpw5CW6H' to 'assets/img/1655626740_shell.php' in /var/www/payroll/admin_class.php on line 108
[/code]

For me the same
Warning: move_uploaded_file(): Unable to move '/tmp/phpDVhAOe' to 'assets/img/1655630760_htb.png' in /var/www/payroll/admin_class.php on line 108

Upload part is broken, can't seem to get it to work