This is the last level. We’re challenged with an improved version of level 9 – they’ve added additional “sanitation” to keep us out.
if(preg_match('/[;|&`\'"]/',$key)) {
print "Input contains an illegal character!";
} else {
passthru("grep -i \"$key\" dictionary.txt");
}
Welcome to level 10. “For security reasons, we now filter on certain characters” – okay they’ve gotten wise to our little game. But let’s check how good their countermeasures are.
Well, they don’t allow us to use the semicolon or ampersand any longer. Well that’s not a problem, I know other ways to manhandle that command into doing what I want.
In level 9, the “Input secret” form is replaced by one that looks like it is searching for words containing the string you provide. Give it a try, and then look at the code.
Well, this is just grepping through a wordlist, using the POSTed needle as a parameter. Since we control the value of that POSTed variable, we can control the command that gets executed. Now we need to figure out how to use that to our advantage.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License .