Realist

Simply desperated. I found CVE: 2008-2650 but I cannot exploit it.

I tried null byte and get Language file ./cmsimple/languages/../../../../******%00 is missing

Finally if I delete null byte I get blank page, obviously the full path is ok but no the waitted response.

Any suggestion about that?

Hi everyone,
I’m new and not very experienced.
I can reproduce locally the challenge (I downloaded locally the same vulnerable cms version).
The only difference is nginx respect to apache2 locally installed.
Can I write to anyone to explain the steps I did for the exploitation?

I can’t figure out why locally works, but not here.

Thank you for your support.

It was very simple,
just to figure out how to think.
Pure LFI, no more.

I am quite lost here too. It looks like the null byte is not working.
For example, this file exists (it is empty but it is a 200 OK, not a 404): http://challenge01.root-me.org/realiste/ch6/cmsimple/log.txt

However, this: http://challenge01.root-me.org/realiste/ch6/index.php?sl=../log.txt%00
returns: Language file ./cmsimple/languages/../log.txt.php missing

I can include PHP files though, but I cannot figure out how to extract information from them, for some reason I cannot "view", "upload" or "download".

I’ve been going over this challenge for hours now. I’ve discovered how I can execute "admin-functions", but I only get 0-byte responses with 200-ok.
Even if I say view or edit a file or something, I don’t get anything in the response-body.

Any help?

Yes you don’t have the rigth arguments. Search harder ;)