POP Restaurant - web - easy

Description

Spent a week to create this food ordering system. Hope that it will not have any critical vulnerability in my application.

General

Flag is under /, e.g: /sXrq5wWZZYpMh_flag.txt
- Therefore name is not predictable - probably RCE needed?

explanation of the attack vector https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection

Compose

Place one directory level above the provided challenge folder.

Launch with docker compose up --watch.

services:
  web-pop_restaurant:
    build:
      context: ./challenge # if one level above provided challenge files. 
      dockerfile: Dockerfile
    container_name: web-pop_restaurant
    ports:
      - "1337:80"
    stdin_open: true
    tty: true
    develop:
      watch:
        - action: sync
          path: ./challenge/challenge
          target: /var/www/html
          ignore:
            - .git/
        - action: sync
          path: ./challenge/flag.txt
          target: /flag.txt

`order.php`

$order = unserialize(base64_decode($_POST['data']));

User controlled input, unsaitized, send to unserialize().

Thats bad :(

1.2 KiB Raw Blame History

POP Restaurant - web - easy

Description

General

Compose

order.php

1.2 KiB

Raw Blame History

`order.php`