PhpThumb.php SSRF/LFI

I initially found this issue on a bounty, however it was marked out of scope on a third party provider. It may be possible to turn this into a RCE. Since I had no reason to escalate since no payment. I’ll leave that up to whoever wants to find out.

Google Dork: inurl:/phpThumb/phpThumb.php?src=

Payload: phpThumb.php?src=file:///etc/passwd


You will see in the response “Unknown image type identified by “root”. It’s reading the /etc/passwd file! However since it only displays the first four characters in the error we can’t read the whole file.

You can also tell it to load remote files



PhpThumb.php SSRF/LFI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s