I Got Magic — GIF Polyglot Webshell Upload + RCE

Craft a file that is simultaneously a valid GIF (magic bytes GIF89a) and a PHP shell (<?php echo system('cat /flag.txt'); ?>). Upload it via the image upload form, find the timestamped filename in the response, and request that URL to execute the shell.

January 1, 2024 · 2 min · giordii

Light or Dark — Path Traversal with Dot Obfuscation + Null Byte

The theme parameter appends .css to the user-supplied path before serving it. Use …/ triples (which reduce to ../) and a URL-encoded null byte to escape the CSS directory and read /flag.txt.

January 1, 2024 · 2 min · giordii

Shell's Revenge 2 — GIF Polyglot Webshell via LFI Include

Upload a GIF polyglot containing a PHP shell, then trigger its execution through a local file inclusion vulnerable ?page= parameter that includes the uploaded file path.

January 1, 2024 · 2 min · giordii