I am stuck on the final assessment. I am able to get /etc/passwd and the log file to show up from the LFI vulnerability. I tried every technique in the LFI academy course and nothing is working, including putting in a php RCE code in the log file which does not execute. Can anyone here give me a slight nudge? thanks!
just figured it out. hint is “user agent”
I tried to poison the user agent tag with some php RCE code but it did not work. Is there another trick I am missing?
am able to read etc/passwd file but not able to get flag file any help???
please can anyone help me on the final assessment please what i have tried so far:
-i have fuzz for parameter using ffuf and saw that one working param is the page param
-i have tried fuzzing with the LFIjhadix.txt file in order to spot a path traversal i can use but no success
-i have look for cve concerning php v7 and nginx without success
-i have gone through the source code but no hint