mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-12 19:55:14 +02:00
46 lines
1 KiB
PHP
46 lines
1 KiB
PHP
<?php
|
|
// Phase 16 — CodeIgniter-style route, vulnerable.
|
|
// `$routes->get('run', 'UserController::run')` references the
|
|
// controller method whose body shells out without sanitisation.
|
|
|
|
namespace CodeIgniter\Router {
|
|
class RouteCollection
|
|
{
|
|
}
|
|
}
|
|
|
|
namespace {
|
|
use CodeIgniter\Router\RouteCollection;
|
|
|
|
class BaseController
|
|
{
|
|
}
|
|
|
|
class NyxRoutes extends RouteCollection
|
|
{
|
|
public function get(string $path, string $callable)
|
|
{
|
|
$GLOBALS['__nyx_route'] = function (string $payload) use ($callable) {
|
|
[$class, $method] = explode('::', $callable, 2);
|
|
$controller = new $class();
|
|
return $controller->$method($payload);
|
|
};
|
|
return $this;
|
|
}
|
|
}
|
|
|
|
$routes = new NyxRoutes();
|
|
$routes->get('run', 'UserController::run');
|
|
|
|
class UserController extends BaseController
|
|
{
|
|
public function run($payload)
|
|
{
|
|
echo "__NYX_SINK_HIT__\n";
|
|
$cmd = "echo hello " . $payload;
|
|
$out = shell_exec($cmd);
|
|
echo $out;
|
|
return $out;
|
|
}
|
|
}
|
|
}
|