Skip to main content

File Upload Feature

Interesting beta page which allows for file uploads.

Beta.html page

However, uploading a file produces no useful reply from the server... Moreover, I also do not know if my uploads are stored in a certain part of the server or they are processed somehow.

To understand more, perhaps the webpage is vulnerable to LFI...? (Since the format of the URL seems very suspicious).

Local File Inclusion

Trying out the usual /etc/passwd, I managed to get something juicy. This confirms that the page is vulnerable to LFI!

Burp LFI

Now, it is time to leak the source code for the web pages! Using the same method, we can leak the php source code for index.php and activate_license.php (which is used during the file upload).

<?php
function sanitize_input($param) {
$param1 = str_replace("../","",$param);
$param2 = str_replace("./","",$param1);
return $param2;
}

$page = $_GET['page'];
if (isset($page) && preg_match("/^[a-z]/", $page)) {
$page = sanitize_input($page);
} else {
header('Location: /index.php?page=default.html');
}

readfile($page);
?>

Internal Connection

The upload feature seem to be uploading the data by sending it to a socket listening on localhost port 1337. Pretty 1337!

However, the lack of any output means that more enumeration has to be done. Let's use /proc to discover running processes in the system.