Basic 8

Let’s start the next one now

Sam moved the password to some other path. Now, let’s explore the other part, i.e. the PHP script by Stephanie.

When we give some input, it seems to be saving it in some file.

The script seems to count the number of character in the string. Let’s look at the source code to try and figure out what’s going on behind the scenes.

This is the file where it is storing our string and evaluating. Notice the .shtml extension. A simple search about this indicates that SSI (Server Side Includes) might have been used.

Let’s try a query for SSI Injection:

<!--#exec cmd="ls ../"-->

Well, it worked! We now know the location of the password. Let’s try accessing it directly.

Done!