mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
42 lines
1.1 KiB
PHP
42 lines
1.1 KiB
PHP
<?php
|
|
// Phase 16 — Laravel-style route, vulnerable.
|
|
// `Route::get('/run', 'UserController@run')` references the
|
|
// controller method whose body shells out without sanitisation.
|
|
|
|
namespace Illuminate\Support\Facades {
|
|
class Route
|
|
{
|
|
public static function get(string $path, string $callable)
|
|
{
|
|
$GLOBALS['__nyx_route'] = function (string $payload) use ($callable) {
|
|
[$class, $method] = preg_split('/@|::/', $callable);
|
|
$controller = new $class();
|
|
return $controller->$method($payload);
|
|
};
|
|
return new class {
|
|
public function middleware($value)
|
|
{
|
|
return $this;
|
|
}
|
|
};
|
|
}
|
|
}
|
|
}
|
|
|
|
namespace {
|
|
use Illuminate\Support\Facades\Route;
|
|
|
|
Route::get('/run', 'UserController@run');
|
|
|
|
class UserController
|
|
{
|
|
public function run($payload)
|
|
{
|
|
echo "__NYX_SINK_HIT__\n";
|
|
$cmd = "echo hello " . $payload;
|
|
$out = shell_exec($cmd);
|
|
echo $out;
|
|
return $out;
|
|
}
|
|
}
|
|
}
|