-
Notifications
You must be signed in to change notification settings - Fork 21
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
53 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| An interesting thing about command injection is that you don't get to choose where in the command the injection occurs: the developer accidentally makes that choice for you when writing the program. | ||
| Sometimes, these injections occur in uncomfortable places. | ||
| Consider the following: | ||
|
|
||
| ```python | ||
| os.system(f"echo Hello '{word}'") | ||
| ``` | ||
|
|
||
| Here, the developer tried to convey to the shell that `word` should really be only one word. | ||
| The shell, when given arguments in single quotes, treats otherwise-special characters like `;`, `$`, and so on as just normal characters, until it hits the closing single quote (`'`). | ||
|
|
||
| This level gives you this scenario. | ||
| Can you bypass it? | ||
|
|
||
| ---- | ||
| **HINT:** | ||
| Keep in mind that there will be a `'` character right at the end of whatever you inject. | ||
| In the shell, all quotes must be matched with a partner, or the command is invalid. | ||
| Make sure to craft your injection so that the resulting command is valid! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| #!/opt/pwn.college/python | ||
|
|
||
| import subprocess | ||
| import flask | ||
| import os | ||
|
|
||
| app = flask.Flask(__name__) | ||
|
|
||
| @app.route("/", methods=["GET", "POST"]) | ||
| def challenge(): | ||
| directory = flask.request.args.get("directory", "/challenge") | ||
| listing = subprocess.run( | ||
| f"ls -l '{directory}'", # the command to run | ||
| shell=True, # use the shell to run this command | ||
| stdout=subprocess.PIPE, # capture the standard output | ||
| stderr=subprocess.STDOUT, # 2>&1 | ||
| encoding="latin" # capture the resulting output as text | ||
| ).stdout | ||
|
|
||
| return f""" | ||
| <html><body> | ||
| Welcome to the dirlister service! Please choose a directory to list the files of: | ||
| <form><input type=text name=directory><input type=submit value=Submit></form> | ||
| <hr> | ||
| <b>Output of: ls -l '{directory}'</b><br> | ||
| <pre>{listing.replace("\n", "<br>")}</pre> | ||
| </body></html> | ||
| """ | ||
|
|
||
| app.secret_key = open("/flag").read().strip() | ||
| app.run("challenge.localhost", int(os.environ.get("HTTP_PORT", 80))) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters