Lovetok (web)
by k0d14k
LoveTok is a web application written in PHP that tells you when you'll find the love.
The prediction is an attribute of a TimeModel object created by a constructor that uses the format argument provided on the main page as a query parameter:
As we can see the value of the format field is used in an eval instruction and so we have a sync for command injection.
If we try to exploit directly this vulnerability we will notice that our payload has escaped using the addslashes function (addslashes reference),
We can avoid this problem using the ${} syntax as explained in this article by CybersecStack.
Now we can use an old PHP trick to avoid the string escape adding a new query parameter as follows:
In this way, we have a full RCE so we can perform an ls to the / directory to get the flag name and then cat the flag:
