2026-05-18 16:33:19 -05:00
|
|
|
<?php
|
|
|
|
|
// Phase 16 — CodeIgniter-style route, vulnerable.
|
|
|
|
|
// `$routes->get('run', 'UserController::run')` references the
|
|
|
|
|
// controller method whose body shells out without sanitisation.
|
|
|
|
|
|
2026-05-23 14:32:48 -05:00
|
|
|
namespace CodeIgniter\Router {
|
|
|
|
|
class RouteCollection
|
|
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
namespace {
|
2026-05-18 16:33:19 -05:00
|
|
|
use CodeIgniter\Router\RouteCollection;
|
|
|
|
|
|
2026-05-23 14:32:48 -05:00
|
|
|
class BaseController
|
|
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
class NyxRoutes extends RouteCollection
|
|
|
|
|
{
|
|
|
|
|
public function get(string $path, string $callable)
|
|
|
|
|
{
|
|
|
|
|
$GLOBALS['__nyx_route'] = function (string $payload) use ($callable) {
|
|
|
|
|
[$class, $method] = explode('::', $callable, 2);
|
|
|
|
|
$controller = new $class();
|
|
|
|
|
return $controller->$method($payload);
|
|
|
|
|
};
|
|
|
|
|
return $this;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$routes = new NyxRoutes();
|
2026-05-18 16:33:19 -05:00
|
|
|
$routes->get('run', 'UserController::run');
|
|
|
|
|
|
|
|
|
|
class UserController extends BaseController
|
|
|
|
|
{
|
|
|
|
|
public function run($payload)
|
|
|
|
|
{
|
|
|
|
|
echo "__NYX_SINK_HIT__\n";
|
|
|
|
|
$cmd = "echo hello " . $payload;
|
|
|
|
|
$out = shell_exec($cmd);
|
|
|
|
|
echo $out;
|
|
|
|
|
return $out;
|
|
|
|
|
}
|
|
|
|
|
}
|
2026-05-23 14:32:48 -05:00
|
|
|
}
|
