LoveTok
Last updated
Last updated
True love is tough, and even harder to find. Once the sun has set, the lights close and the bell has rung... you find yourself licking your wounds and contemplating human existence. You wish to have somebody important in your life to share the experiences that come with it, the good and the bad. This is why we made LoveTok, the brand new service that accurately predicts in the threshold of milliseconds when love will come knockin' (at your door). Come and check it out, but don't try to cheat love because love cheats back. 💛
If we try to change the GET parameter manually we obtain different results:
If we inspect the code:
The function addslashes() return a string with backslashes in front of predefined characters.
The predefined characters are:
single quote (')
double quote (")
backslash (\)
NULL
Here the vulnerable code is this single line:
Just like SQL injection, we should be able to end the quote and add our malicious code into the eval() as shown below. The highlighted part of the code is the value I could have added from my parameter to end the quote and do a system call resulting in RCE:
Just remember that there is an addslashes() that will sanitize our input. We may use other ways to bypass it. Use of URL encoding will not work as $_GET will automatically decode our encoding before running addslashes(). I came across an interesting article to bypass addslashes() using a complex variable. Basically, complex variables will utilize:
double quotes (“)
$ variable in them
{} barriers.
First we can try to execute phpinfo() function using complex variable syntax:
If we try to use directly the command that we want to execute we receive a blank page because the addslashes() break the code with escaping single quote:
We can see the prettyfied output using CTRL+U:
List files under root directory:
Print the content of flag:
