SignupHide Sidebar
Username: 
Password: 
Restrict session to IP 
Statistics
48 Sites
187 Challs
9087 Posts
68180 Users
44 donations
1 Shop
48 Active Sites
World of Wargame
WeChall
TheBlackSheep
Rankk
Electrica
NewbieContest
LOST-Chall
Yashira
BrainQuest
Net-Force
HackThisSite
ThisisLegal.com
elhacker.net
TryThis0ne
TDHack
+Ma's Reversing
Hacker.org
HackBBS
Root-Me
SPOJ
Revolution Elite
W3Challs
Gekkó
Webhacking.kr
Reversing.Kr
SuNiNaTaS
Hacking-Challenges
OverTheWire.org
RedTigers Hackit
Defend the Web
Mod-X
Omega Project
ae27ff
pwnable.kr
RingZer0 Team Online CTF
pwnable.tw
Hack The Box
try to decrypt
MysteryTwister
LordofSQLi
Énigmes À Thématiques
247CTF
CryptoHack
PyDéfis
PromptRiddle
PWN.TN
pwn.college
HackMyVM
Top 10 Players
dloser
benito255
jusb3
Caesum
tehron
phoenix1204
lordOric
thefinder
Akorlith
Xaav
Last 20 Activities
deprrous
SeRoM
wells71
cheerfulbull
thenightmail
zM_
zeronine
cheerfulbull
TheHiveMind
lubiq78
xseris
xseris
saiwa
lager
lager
amyasnikov
Tjabbe
Madzzy
tomato12xs
jaxxxxxx
Online within 1d
37 Users
froglegseternal
livinskull
SeRoM
lljbash
tehron
cheerfulbull
wells71
zeronine
lager
darkerlabs
nowsh
tomato12xs
noother
rayaseiren
zM_
failsmile
TheHiveMind
TwoFac3R
xseris
saiwa
more
Questions  |  score: 2  |  2.88 5.17 4.92 |  Solved By 4982 People  |  330407 views  |  since Oct 08, 2010 - 02:43:58

Training: PHP LFI (Exploit, PHP, Training)

PHP - Local File Inclusion
Your mission is to exploit this code, which has obviously an LFI vulnerability:

GeSHi`ed PHP code
1
2

$filename = 'pages/'.(isset($_GET["file"])?$_GET["file"]:"welcome").'.html';
include $filename;


There is a lot of important stuff in ../solution.php, so please include and execute this file for us.

Here are a few examples of the script in action (in the box below):
index.php?file=welcome
index.php?file=news
index.php?file=forums

For debugging purposes, you may look at the whole source again, also as highlighted version.
The vulnerable script in action (pages/../../solution.php)
LFI
  • Well done. If you find a local file inclusion, usually the box can get hacked into within minutes.
WeChall
  • Your answer is correct. To keep track of your progress you need to register.
Thanks go out to minus for his alpha testing, great thoughts and motivation!
© 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023 and 2024 by Gizmore