0%

RootMe-Perl-Command-injection

简单的perl代码审计

Retrieve the password stored in .passwd.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#!/usr/bin/perl

delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
$ENV{'PATH'}='/bin:/usr/bin';

use strict;
use warnings;

main();

sub main {
my ($file, $line) = @_;

menu();
prompt();

while((my $file = <STDIN>)) {
chomp $file;

process_file($file);

prompt();
}
}

sub prompt {
local $| = 1;
print ">>> ";
}
sub menu {
print "*************************\n";
print "* Stat File Service *\n";
print "*************************\n";
}

sub check_read_access {
my $f = shift;
if(-f $f) {
my $filemode = (stat($f))[2];

return ($filemode & 4);
}

return 0;
}

sub process_file {
my $file = shift;
my $line;
my ($line_count, $char_count, $word_count) = (0,0,0);

$file =~ /(.+)/;
$file = $1;
if(!open(F, $file)) {
die "[-] Can't open $file: $!\n";
}


while(($line = <F>)) {
$line_count++;
$char_count += length $line;
$word_count += scalar(split/\W+/, $line);
}

print "~~~ Statistics for \"$file\" ~~~\n";
print "Lines: $line_count\n";
print "Words: $word_count\n";
print "Chars: $char_count\n";

close F;
}

在Perl的open()函数中,如果在文件名后加上管道符”|”,则Perl将会执行这个文件,而不是打开它。而这个代码,打开文件参数是我们可以完全控制的。所以直接可以执行cat来查看.passwd解题。

20210424-21:13:27-_hjKO6j_hjKO6j_hjKO6j_3e0FYe

参考资料: