Mastodawn

Had this on a recent engagement and thought I'd provide a cut-down version as a fun little CTF-like challenge.

As an attacker, you can invoke `pwnme()` and control the value of `$filename` via a web request.

You cannot control the contents of the file system that this code is running on. You don't have the ability to upload files.

How do you achieve command injection?

@oj is it php protocol wrapper like ftp, phar leads to unserialize bug?

@mugu phar:// requires reading from the filesystem... which you don't control. What does ftp give ya?