This writeup describes a file security bypass vulnerability in File Thingie v2.5.5, where an attacker can upload a text file containing PHP code and rename it to a .php extension for execution. The exploit involves uploading a backdoored .inc file and a .txt file with PHP code to overwrite ft2.php.
Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target:File Thingie v2.5.5
Auth required
Prerequisites:Access to File Thingie upload functionality · Ability to rename uploaded files