00:00 - Introduction
01:00 - Start of nmap
02:50 - Discovering a likely LFI in product.php but cannot use filters, likely because there is a file_exists() check
05:30 - Playing with the File Upload functionality
08:40 - Talking about the PHAR wrapper in PHP, showing it will bypass the file_exist and we can go into the ZIP to bypass the .pdf check
10:55 - Uploading the phar archive, and getting RCE through the LFI and PHAR wrapper
16:40 - Showing the intended File Disclosure vulnerability, by uploading a zip with a symlink
18:00 - Creating a python script to automate the file disclosure vulnerability, making it easier for us to download files
28:30 - Script completed, looking at the PHP Code, then showing another unintended solution with a zip file and null byte
37:30 - Explaining what happened with the null byte
40:00 - Showing the intended solution with the null byte, talking about how we can bypass this regex with CRLF Injection due to lack of multi-line
48:00 - Dumping the SQL Database with a union injection
51:15 - Dropping a file from MySQL and then including it with the LFI to get a shell
58:00 - As Rektsu we can execute a binary with sudo, running strings discovers a hard coded password. Strace reveals it loads a library that doesn't exist, so we can use MSFVenom to create a malicious library
Support the originator by clicking the read the rest link below.
