Skip to content

Commit eac96f9

Browse files
shellfarmershellfarmer
authored
Update solution.md
1 parent 81dedc6 commit eac96f9

File tree

1 file changed

+17
-0
lines changed

1 file changed

+17
-0
lines changed

tamuctf2018/shell-plugin/solution.md

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,3 +4,20 @@
44
55
>In order to make this a reality I wrote this cool plugin for CTFd to automatically create an account when they register for the competition.
66
One of the students claims that they can get a root shell on my server though. Can you figure out what happened and fix the issue for me?
7+
8+
Code suffers from command injection. Added a fuction to escape quotes and modified the add-user and change-user-pass system calls.
9+
10+
Changes:
11+
12+
```
13+
14+
16 + def shellquote(s):
15+
17 + return "'" + s.replace("'", "'\\''") + "'"
16+
18 +
17+
17 - os.system("./add-user.sh " + name + " " + password)
18+
20 + os.system("./add-user.sh " + shellquote(name) + " " + shellquote(password))
19+
20 - os.system("./change-user-pass.sh " + name + " " + password)
20+
23 + os.system("./change-user-pass.sh " + shellquote(name) + " " + shellquote(password))
21+
```
22+
23+

0 commit comments

Comments
 (0)