# POP Restaurant - web - easy

## Description

Spent a week to create this food ordering system. Hope that it will not have any critical vulnerability in my application.

----

## General
- Flag is under `/`, e.g: `/sXrq5wWZZYpMh_flag.txt`
    - Therefore name is not predictable - probably RCE needed?
    - 

explanation of the attack vector
https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection


## Compose

Place one directory level above the provided challenge folder.

Launch with `docker compose up --watch`.

```yaml
services:
  web-pop_restaurant:
    build:
      context: ./challenge # if one level above provided challenge files. 
      dockerfile: Dockerfile
    container_name: web-pop_restaurant
    ports:
      - "1337:80"
    stdin_open: true
    tty: true
    develop:
      watch:
        - action: sync
          path: ./challenge/challenge
          target: /var/www/html
          ignore:
            - .git/
        - action: sync
          path: ./challenge/flag.txt
          target: /flag.txt
```

## `order.php`

```php=16
$order = unserialize(base64_decode($_POST['data']));
```

User controlled input, unsaitized, send to unserialize().

Thats bad :(