Nineveh Machine + LFI = Unknown Exploit

Hi,

This is my first time submitting a discussion and hope I’am submitting it in right place and category.

Yesterday when I tried to exploit the Nineveh machine I stacked in LFI vulnerability and I realized something stranger in LFI and what made me more surprised when I saw a walkthroughs of this machine.

Actually, what I saw are some people could exploit the LFI in different dirctory path. For Example:

The original path:

http://10.10.10.43/department/manage.php?notes=files/ninevehNotes.txt

Some people can go to specific path directory instead of files/ninevehNotes.txt :

http://10.10.10.43/department/manage.php?notes=/var/tmp/shell.php

Others, can do it in this way:

http://10.10.10.43/department/manage.php?notes=files/ninevehNotes.php/../../../../../../var/tmp/shell.php

Also, by deleting the Files parameter:

http://10.10.10.43/department/manage.php?notes=/ninevehNotes/../var/tmp/shell.php

For me the last method worked fine with me while others do NOT.
How did this happen?
Why the others methods didn’t work?

Hope someone explain it to me, actually I spend all the day just to understand this part :frowning:

Thanks in advance.

Hey there!
I am also interested to know an explanation for this. I have been stuck for hours on this, trying to trigger my shell.php and nothing works for me yet. Do you have any updates about this?

Hi, in the manage.php there is this “$fileName = basename($file); if(!strpos($file, ninevehNotes”)) exit(“No Note is selected.”); echo " The only thing that matter, is that ninevehNotes appears in your path. If you had created your database with the name ninevehNotes.php, you can circumvent this.