Skip to main content

Lab-3 output redirection

--> same vulnearbilty as Lab-2 but this time we have to find the username by redirecting the output in one of the file in server which we can do with > operator in linux.

we have write permissions in /var/www/images so we will redirect our output here.

--> i used the following payload in message field:

 & whoami > /var/www/images/test.txt &
 #After url encode
 +%26+whoami+>+/var/www/images/test.txt+%26

--> But it didn't worked so i tried it in different fields and it worked in subject field

--> Now to find the file which got created click on any image from cataglogue and select view image and you will find the url like this:

/image?filename=6.jpg

I just change the filename with test.txt and solved the lab!