PocketPentester/vuln-lab/web/www/index.php

<?php
// insecure.newploit.com :: landing + SSTI + CORS misconfig
// Every endpoint here is intentionally vulnerable.

// ---- CORS misconfig: reflect any Origin + allow-credentials ----
if (!empty($_SERVER['HTTP_ORIGIN'])) {
    header("Access-Control-Allow-Origin: " . $_SERVER['HTTP_ORIGIN']);
    header("Access-Control-Allow-Credentials: true");
    header("Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS");
    header("Access-Control-Allow-Headers: *");
}

header("X-Powered-By: PHP/8.2.12");
header("Server: Apache/2.4.57 (Debian) OpenSSL/3.0.11");

// ---- Fake template engine: renders {{ expr }} inside `name` param ----
// Handles both Jinja2-style math (999*777) and Twig-style filter ('x'|upper).
function fake_render($input) {
    return preg_replace_callback('/\{\{\s*(.+?)\s*\}\}/', function ($m) {
        $expr = trim($m[1]);
        // Twig-style: 'text'|upper  or  "text"|upper
        if (preg_match('/^[\'\"]([^\'\"]*)[\'\"]\s*\|\s*upper$/', $expr, $mm)) {
            return strtoupper($mm[1]);
        }
        if (preg_match('/^[\'\"]([^\'\"]*)[\'\"]\s*\|\s*lower$/', $expr, $mm)) {
            return strtolower($mm[1]);
        }
        // Math: digits + operators only
        if (preg_match('/^[\d\s\+\-\*\/\(\)\.]+$/', $expr)) {
            $r = 0;
            try { @eval('$r = ' . $expr . ';'); } catch (\Throwable $e) {}
            return (string)$r;
        }
        return '';
    }, $input);
}

$name = $_POST['name'] ?? $_GET['name'] ?? $_GET['q'] ?? 'guest';
$rendered = fake_render($name);
?><!DOCTYPE html>
<html><head>
<title>Newploit :: insecure test lab</title>
<meta name="generator" content="Newploit CMS 1.2.0">
</head><body>
<h1>Welcome to insecure.newploit.com</h1>
<p>Hello <?= $rendered ?>, this is the dev test box. Nothing to see here.</p>

<h2>Quick links</h2>
<ul>
    <li><a href="/search.php?q=test">search</a></li>
    <li><a href="/profile.php?id=1">profile</a></li>
    <li><a href="/login.php">login</a></li>
    <li><a href="/page.php?page=home">page viewer</a></li>
    <li><a href="/fetch.php?url=https://example.com">link fetcher</a></li>
    <li><a href="/redirect.php?url=https://google.com">redirect</a></li>
    <li><a href="/api/auth.php">api auth</a></li>
    <li><a href="/phpinfo.php">server info</a></li>
    <li><a href="/admin/">admin</a></li>
    <li><a href="/wp-login.php">blog login</a></li>
</ul>

<!-- DEBUG: template=<?= htmlspecialchars($name) ?> -->
</body></html>