rain
SRC: https://library.m0unt41n.ch/challenges/rainPHP Templating libs kekw.
We are allowd to upload our own themes and even watch them. Main security feature is the saving of the files as strict html, so we cannot create a normal/typical malicious file upload... But the Tempalting lib is flawed, via the function argument we can just execute php code.
{function="file_get_contents('/flag.txt')"}
So We create a file called whatever with this payload as content, upload and view the target page... results into the flag printed..
Thank you php for being so amazing!
After analyzing the function_check function.. and the blacklist file_get_contents isnt even blacklisted so there was nothing to bypass. Stuff like Session, Server vars, exec etc. was blacklisted.
