From a13ba8110f9475e6070aefaf8a7af1ae0b40e659 Mon Sep 17 00:00:00 2001
From: Jerit3787 <danish.hakim@danplace.tech>
Date: Sun, 17 Dec 2023 03:20:30 +0800
Subject: [PATCH] Code: Fix a bit typo

---
 _posts/2023-12-17-wargamesmy-2023-writeup.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/_posts/2023-12-17-wargamesmy-2023-writeup.md b/_posts/2023-12-17-wargamesmy-2023-writeup.md
index 7531e09..23e39ae 100644
--- a/_posts/2023-12-17-wargamesmy-2023-writeup.md
+++ b/_posts/2023-12-17-wargamesmy-2023-writeup.md
@@ -47,7 +47,7 @@ I've launched Burp Suite and started analysis the backend.
 
 ![](/assets/img/posts/image2.png)
 
-From the response, we can take a look at its PHP version `7.4.21`. Since, there is no way to do LDF (Local Directory Inclusion), I've searched the internet if we could see a bug in this version. Suprisingly, I've found one that allows us to obtain server code here.
+From the response, we can take a look at its PHP version `7.4.21`. Since, there is no way to do LFI (Local File Inclusion), I've searched the internet if we could see a bug in this version. Suprisingly, I've found one that allows us to obtain server code here.
 
 Based from the web "[https://blog.projectdiscovery.io/php-http-server-source-disclosure/](https://blog.projectdiscovery.io/php-http-server-source-disclosure/)", you can manipulate the internal server code to force publish the php code. This bug is fixed on later releases `PHP 7.4.22+`.
 
@@ -135,7 +135,7 @@ $flag="flag{fakeflag_dontsubmit}";
 
 This is where is my mistake, I first thought that the flag is generated on the server then replacing this fake flag. So, I've completed on passing every check only to know that I've obtained again the fake flag (not written here tho). From here, I've proceed on bypassing everything on the `index.php` file.
 
-Apart from that, other interesting here is the `echo $_POST['func']($value);`. This line shows that we could inject a function and run server-side code from here. Plus, we don't need to search ways to get it to output the code since `echo` is here which causes us to find a PHP code that can give direct output. But, there is a check in place for the `func` attribute.
+Apart from that, other interesting here is the `echo $_POST['func']($value);`. This line shows that we could achieve RCE (Remove Code Execution) and run server-side code from here. Plus, we don't need to search ways to get it to output the code since `echo` is here which causes us to find a PHP code that can give direct output. But, there is a check in place for the `func` attribute.
 
 `if(in_array($_REQUEST['func'], ['is_string','is_null','is_numeric']))`