『CTF Tricks』Ruby-利用File.open()执行shell命令
作者:互联网
文章目录
前言
测试环境为
- ruby 2.7.0p0 (2019-12-25 revision 647ee6f091) [x86_64-linux-gnu]
- Ubuntu 20.04.2 LTS
利用
file = '|whoami'
puts open(file).read() # ubuntu
puts open(file).gets # ubuntu
原理
查看核心文件Kernel.rb
,在2800行左右:
# open(path [, mode [, perm]] [, opt]) -> io or nil
# open(path [, mode [, perm]] [, opt]) {|io| block } -> obj
#
# Creates an IO object connected to the given stream, file, or subprocess.
# If +path+ starts with a pipe character (<code>"|"</code>), a subprocess is
# created, connected to the caller by a pair of pipes. The returned IO
# object may be used to write to the standard input and read from the
# standard output of this subprocess.
# === Examples
#
# Open a subprocess and read its output:
#
# cmd = open("|date")
# print cmd.gets
# cmd.close
#
# Produces:
#
# Wed Apr 9 08:56:31 CDT 2003
如果+path+以一个管道字符(
|
)开头,就会创建一个子进程,通过一对管道连接到调用者。 返回的IO对象可用于向该子进程的标准输入写入和从标准输出读取。
因此可以利用open函数的特性通过管道符执行shell
实战例题
完
欢迎在评论区留言
标签:shell,read,Ruby,Tricks,cmd,subprocess,file,path,open 来源: https://blog.csdn.net/Xxy605/article/details/120373095