Lab link.
In some systems, there may be more than one vulnerability, or we may continue with a different vulnerability in the continuation of one vulnerability. In this lab, we can upload files thanks to path traversal.
In the lab, we are asked to access the file /home/carlos/secret. We create a php file to access this file:
<?php echo file_get_contents(‘/home/carlos/secret’); ?>
We try to upload our php file.
Here we see that our php file is detected as plain text. The server only runs a script configured to execute the MIME type. Therefore our script is detected as plain text. What needs to be done is to install the script in a different directory accessed by the user and the server will run the script regardless.
There are two parts to pay attention to. The first slash should be url encode. The second is that we need to edit the URL part of the GET request to get the result.