search

Travel Agency

LFI + RFI

hashtag
Description

Challenge description.txt
A travel agency website that lets users explore destinations from all over the world. The dev team recently added a ""preview template"" feature that dynamically loads different pages based on user selection.

Everything looks smooth on the surface, but a careless implementation might have left the site vulnerable to more than just wanderlust...

Can you dig into the source and go on a remote adventure to retrieve the flag?

hashtag
Homepage

After clicking on other page, there were no dynamic output for our input, although I noticed the page was loading using ?page parameter, which made me think for LFI.

I pulled index.php code using base64 filter, as it was LFI and not file disclosure. If it were to be file disclosure, we could've pulled index.php without base64 as that way the server wouldn't have executed PHP code.

Here's the vulnerable logic, it's using include of php.

LogoPHP: include - Manualofficial_phpchevron-right

If we see Example 3 of above mannual, it tells we can use include() to get/load pages via HTTP as well.

hashtag
RFI

β€” done β€”

_________________________heapbytes' still pwning.

PreviousSecure UploadNextBlind Trust

Last updated