Skip to content

Commit

Permalink
Update README.mdx
Browse files Browse the repository at this point in the history
  • Loading branch information
@nuoxoxo
nuoxoxo authored Nov 23, 2024
1 parent a8efae6 commit 8c51edf
Showing 1 changed file with 7 additions and 7 deletions.
14 changes: 7 additions & 7 deletions level12/README.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,7 @@ sub t {
$xx =~ tr/a-z/A-Z/; 🟡 `tr` all lowercase alpha to caps
$xx =~ s/\s.*//; 🟡 `sub` all whitespaces w/ nothing
🔵 Vulnerability -Backtick Injection:
exploits enclosed shell command execution
🔵 Vulnerability - Backtick Injection
@output = `egrep "^$xx" /tmp/xd 2>&1`;
foreach $line (@output) {
Expand All @@ -52,11 +51,12 @@ n(t(param("x"), param("y")));
```

Solution
- Backtick command injection ``` `/*/C` ```
- gets executed by PERL right away
- But why still fake an ALLCAPS filename?
- bc. program runs fast: `tr` and the `=~` pattern matching run at almost simultaneously
- to avoid asynchronicity , we ___delay___ the script a little
- Create a file: ``` `/*/C` ``` which contains a getflag command
- The setuid `.pl` script executes a backticks-enclosed expression
- Why still fake an ALLCAPS filename?
- bc. the program runs fast
- `tr` and `=~` pattern matching run at almost simultaneously
- to avoid asynchronicit , we ___delay___ the script a little

```b
> echo "getflag > /tmp/tmp" > /tmp/C
Expand Down

0 comments on commit 8c51edf

Please sign in to comment.