Tags: web php lfi

Rating:

We see from the PHP file, that the query param lang will include a file from the filesystem. Its main use is to provide us with language support by using either en.php or qw.php as language files, but we see other uses for it - namely _local file inclusion_.

The only problem, is that there is a str_replace method being called, which removes any string of the form ../ from the query. But we need ../ to get to the root directory, where the flag is.

Since str_replace will run through our string only once, all we need to do is supply a buffer to the string ../ by making it for example into ....// or .../...//, or anything similar to that.

Original writeup (https://kblagoev.com/blog/ministrypalace-cyberapocalypse-2021-ctf/).