¸®´ª½º

 3916, 1/196 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ewqqw
   ¼Ò½º ºÐ¼® ºÎŹµå¸³´Ï´Ù.

http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=4449 [º¹»ç]


ÀÌÁ¦ ¸· ¸®´ª½º¶û ÄÚµå ¹è¿ö°¡´Â »õ³»±â ÀÔ´Ï´Ù. ¤Ð¤Ð
#include <stdio.h>
#include <string.h>

int filter(char *cmd) {
        if (strstr(cmd, "f")) return 1;
        if (strstr(cmd, "sh")) return 1;
        if (strstr(cmd, "tmp")) return 1;
        return 0;
}

extern char **environ;
int main(int argc, char *argv[], char *envp[]) {
        char **p;

        printf("I am king the Godzo...\n");
        printf("I will let you execute a command again.\n");
        printf("However, I am much stronger than Tracer.\n");

        for (p=environ; *p; p++)
                memset(*p, 0, strlen(*p));

        putenv("PATH=/uri_mercy_gaemotham");

        if (filter(argv[1])) {
                printf("caught by filter!\n");
                return 0;
        }

        system(argv[1]);
        return 0;
}
  Hit : 4291     Date : 2017/03/10 12:29


    
ÇØÄð·¯ ÀÌ ¹®Á¦¸¦ Ç®ÀÌÇÏ·Á¸é Á÷Á¢ ½Ã½ºÅÛ¿¡¼­ ¸î°³ ºÁ¾ßÇÏ´Â°Ô À־ Ç®À̹ýÀº ¾Ë·Áµå¸®±â ¾î·Æ±¸¿ä
¾îÂ÷ÇÇ ¿äûÇÏ½Å°Ô ¼Ò½ººÐ¼®ÀÌ´Ï »ìÆ캸¸é
1. ȯ°æº¯¼ö¸¦ ¸ðµÎ »èÁ¦ÇÕ´Ï´Ù
2. PATH¿¡ /uri_mercy_gaemotham À» µî·ÏÇÕ´Ï´Ù. Áï ¿¹¸¦µé¾î cat flag.txt¸¦ Çϸé /uri_mercy_gaemotham/cat °¡ Á¸ÀçÇÏ´ÂÁö ã°Ô µË´Ï´Ù
3. ±× ÈÄ argv[1]À» ÀÎÀÚ·Î filter¸¦ ½ÇÇàÇϴµ¥, filterÇÔ¼ö¸¦ º¸¸é argv[1]¿¡ f³ª sh³ª tmp¶ó´Â ¹®ÀÚ¿­ÀÌ Á¸ÀçÇÏÁö ¾Ê¾Æ¾ß ÇÏ´Â °ÍÀ» ¾Ë ¼ö ÀÖ½À´Ï´Ù
4. ±× ÈÄ ÇÊÅ͸µÀ» Åë°úÇÑ argv[1]À» system()ÇÔ¼öÀÇ ÀÎÀÚ·Î ½ÇÇàÇÕ´Ï´Ù		 2017/03/10  
ewqqw ½ÇÇà½ÃÅ°´Ï±ñ Segmentation fault (core dumped)
°¡ ³ª¿À³×¿ä...		 2017/03/10  
ÇØÄð·¯ argv[1]À» ¾È³Ö°í ½ÇÇàÇÏ½Å°Ç ¾Æ´ÑÁö¿ä
argv[1]À̶õ°Ç ÇÁ·Î±×·¥ ½ÇÇàÈÄ¿¡ ÀÔ·ÂÇϴ°ÍÀÌ ¾Æ´Ï¶ó ÇÁ·Î±×·¥ ½ÇÇà°ú µ¿½Ã¿¡ ¼³Á¤ÇØÁÖ´Â °ÍÀÔ´Ï´Ù
cat text.txt¶ó´Â ¸í·É¿¡¼­´Â argv[0] = cat, argv[1] = test.txtÀÌ°í
ls -al À̶ó´Â ¸í·É¿¡¼­´Â argv[0] = ls. argv[1] = -al ÀÔ´Ï´Ù		 2017/03/11