☑️SA

I started by looking at the different requests we can send with parameters both POST and GET.

It seemed to get information of different files that are on the system so I assumed it might be using the stats command and some other commands that's taking the filename. I tried many different injection techniques but failed.

Then I realized there is a move function used to move files into /tmp directory. That's when it clicked. If we try to move a file that don't exist we get a reply that the command mv failed so obviously we are running the mv command. The way mv command works is first we give it the source and then the destination. So all I had to do is inject my commands into the To= parameter in the query (its a GET).