Quotin
A two-person letterpress wedding-stationery studio offers a 'free monogram proof' upload feature. The PHP behind the form pipes the uploaded file into a shell command for processing — and the file's name flows into that command unquoted.
The Scenario
Quotin is a two-person letterpress studio in rural Vermont. Iris sets the type. Tobias runs the 1958 Heidelberg Windmill. They take three commissions a month — wedding suites, save-the-dates, monogrammed envelopes, hand-numbered.
As a small handmade gift, the homepage offers any visitor a free preview proof: upload your monogram, get back a watermarked preview pressed into Crane's heaviest cotton stock. The feature was built by Iris on a quiet Sunday and works exactly the way she expected — except for one shell call she didn't think too hard about.
Lab Intel
Synopsis
Find what one bad shell call lets you do.
Architecture
A beginner-friendly PHP + Apache letterpress-studio site with a 'free proof' upload feature that backends to ImageMagick. The upload's filename flows into the shell call unquoted — straight cmd injection. No filters, no escapes, no exotic tricks.
Who It's For
Newcomers comfortable with one or two injection labs who are ready to step from data sinks (SQLi) and filesystem sinks (LFI) up to OS-level sinks. The fourth WebVerse foundational, after Flower, Overdue, and Corridor.
Skills You'll Practice
- Recognising the shape of CLI-shellout patterns in upload pipelines
- Crafting a malicious filename for a multipart upload
- Reading stderr leaks for the cmd template
- Writing RCE output to a web-accessible directory for self-exfil
What You'll Gain
- Vocabulary: command injection, RCE, shell metacharacter, exfil-by-write
- A mental model that 'user input' includes upload filenames
- Confidence with the iconic ImageTragick-class pattern that still ships in production today