Skip to content

Instantly share code, notes, and snippets.

@Ciph3r00t

Ciph3r00t/reservation_file.php

Created May 16, 2020 04:04
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Ciph3r00t/4768c87958bc5037586a507378caae88 to your computer and use it in GitHub Desktop.
Save Ciph3r00t/4768c87958bc5037586a507378caae88 to your computer and use it in GitHub Desktop.
Download ZIP
CTF-OOB-RCE Challenge Source Code
Raw
reservation_file.php
<title>Reservation App</title>
<center style="margin-top:30px;">
<?php
// VULLNERABILITY.COM - OOB RCE Challenge
if(!isset($_POST['name']) and !isset($_COOKIE['name'])){
echo '
Welcome! Please enter your name to reserve the best tables:
<form style="margin-top:10px;" action="" method="post">
<input type="text" placeholder="Your name..." name="name" required>
<input type="submit" value=">>">
</form>
';
}
else{
function clear($input){
return str_replace(array("|", "&", "`", "$", "(", ")", ";", ">", "<", "'", '"', "?", "=", "/", "\\"), "", $input);
}
$getname = isset($_COOKIE['name']) ? $_COOKIE['name'] : (isset($_POST['name']) ? $_POST['name'] : 0);
setcookie("name", clear($getname));
if(isset($_GET['table']) or isset($_COOKIE['table'])){
$tablename = isset($_COOKIE['table']) ? $_COOKIE['table'] : $_GET['table'];
$price = ($tablename == "T-12") ? "80$" : "350$";
if(!isset($_COOKIE['reserved'])){
$receiptcode = substr(md5('not so important'.rand()), 0, 15);
setcookie("receiptcode", $receiptcode);
}else{
$receiptcode = $_COOKIE['receiptcode'];
}
$filename = $getname.'_'.$receiptcode.".txt";
$content = 'Reserved to: '.$getname.'\n\nTable: '.$tablename.'\n\nPrice: '.$price.'\n\nReceipt code: '.$receiptcode;
if(isset($_GET['table']) && !isset($_COOKIE['reserved'])){
setcookie("table", clear($_GET['table']));
setcookie("reserved", "true");
system('echo -e "'.$content.'" > receipts/'.$filename);
}
echo 'You have reserved the table <font color="green">'.$tablename.'</font> successfully.
<br><br>Print this receipt to show to the waiter and pay cash in the cafe.
<br><br><a href="receipts/'.$getname.'_'.$receiptcode.'">View receipt.</a>
';
}else{
echo 'Dear '.$getname.', which table would you like to reserve?
<style>
td, th {
border: 1px solid #dddddd;
padding: 3px;
}
tr:nth-child(even) {
background-color: #dddddd;
}
</style>
<table style="margin-top:20px;">
<tr>
<th>Table</th>
<th>Price</th>
<th>Description</th>
<th>Availability</th>
</tr>
<tr>
<td>T-12</td>
<td>80$</td>
<td>Classical table</td>
<td><a href="?table=T-12" style="color:green;"><center>Click to Reserve</center></a></td>
</tr>
<tr>
<td>T-25</td>
<td>80$</td>
<td>Classical table</td>
<td><center>Unavailable</center></td>
</tr>
<tr>
<td>T-26</td>
<td>110$</td>
<td>The table that has a fine view</td>
<td><center>Unavailable</center></td>
</tr>
<tr>
<td>T-42F</td>
<td>350$</td>
<td>The larger table that has a fine view</td>
<td><a href="?table=T-42F" style="color:green;"><center>Click to Reserve</center></a></td>
</tr>
</table>';
}
}
?>
</center>
<div style="font-size:14px;position:fixed;bottom:30px;">
Challenge: Read flag.txt, if you can :)<br>
Reward: 3-months PentesterLab subscription<br>
Expires: 15.05.2020 / 19:00 UTC
<br><br>
"Out-of-band Remote Command Execution"
<br><br>
Tips for every 20 likes: <a target="_blank" href="https://twitter.com/VULLNERAB1337/status/1260553788412301313">Twitter</a>
<br><br>
Solved the challenge? <a target="_blank" href="https://vullnerability.com/challenges">Submit solution.</a>
</div>
<div align="right" style="bottom:30px;"></div>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment