Lovetok
Last updated
Last updated
The website:
We can see that the back-end gives time when we give a certian value to the format parameter:
We also have the code:
we can see that the input we give 'r' is directly going into the eval function:
So we need to inject code here somehow -> but how?
we can try different code payloads like:
${system($_GET[cmd])}&cmd=ls
${print(`ls`)}
to bypass the whitelist:
to bypass restriction for slashes read
and we get the flag: