Hey people,
Sebastian has another (tricky) challenge for you :)
I found this code in a popular open source software. Afaik, this shouldn't be vulnerable to LFI, but you're here to prove me wrong ;)
If you discover an issue, you'll be credited properly after responsible disclosure.
#The Code
Again, it's PHP and the code looks like this:
```
> cat index.php
";
$foo = new $class($_REQUEST);
} else {
echo "Class does not exist.
";
}
function __autoload($class) {
$filename = str_replace('_','/', strtolower(basename($class)));
$filepath = dirname(__FILE__) . "/classes/$filename.php";
echo "Checking... " . $filepath . "
";
if(file_exists($filepath)) {
echo "Loading..." . $filepath . "
";
require $filepath;
}
}
```
```
> cat classes/hacked.php
hack();
}
public function hack() {
echo 'Hacked';
// do evil stuff ;)
}
}
?>
```
You can download the code here:
Demo: http://challenges.internetwache.org/php-lfi.tgz
```
> curl "http://challenges.me/php-2/index.php?class=Hacked"
Checking... /var/www/challenges/php-2/classes/hacked.php
Loading.../var/www/challenges/php-2/classes/hacked.php
Class exists.
Hacked
```
#Your task
- Prove me wrong that this isn't exploitable (e.g. LFI/RCE)
#Hall of Fame/Credits
- Be the first!
#Contact
- Like always via twitter @internetwache
Happy hacking ;)