Vulnerable Code Snippets Time 🥷 Level: Medium 🐝 This web application does not like dot dot slash! Try it out at Github: github.com/yeswehack/vuln… #BugBounty #YesWeRHackers Found the issue? Explain how in the comments! 👇 🎁 The best solution gets an exclusive swag!

@yeswehack You can provide an absolute path. ?file=/etc/passwd

@yeswehack Lfi

@yeswehack There are several bugs, but I just highlighted those two functions related with the preg_replace() and str_contains(). The regex inside preg_replace() function only filter specific patterns -> "://" or "\\", and the str_contains() only filter the "../".

@yeswehack @yeswehack Besides LFI using methods already commented, there is a reflected XSS vuln. 'http://e.vil/p.html' will be filtered, but we can use the fact filtering '://' is separate from '../' to construct 'http:..///e.vil/p.html' and file is a GET param so we can send bad link.

@yeswehack LFI with a bad user input sanitation. Assuming it is running on a GNU/Linux server the payload `file=..%252f..%252f..%252fetc/passwd` should allow to retrieve the file.

@yeswehack Although "../" is filtered recursively to prevent LFI but preg_replace filter is NON RECURSIVE and only filters group of character like(://) instead of single malicious characters. So ?file=/etc/hostname or ?file=file:://///etc/hostname bypasses filter.

@yeswehack LFI by providing: http://127.0.0.1:5000/?file=file:/..///etc/passwd