Daddy bought me a system command shell.
but he put some filters to prevent me from playing with it without the permission.
but i wanna play anytime I want!
It is the quiz that executes flag with the permission of "cmd2". All environment variable is removed by the "memset". Also "=", "PATH", "export", "/", "`", "flag" keywords are not available for "argv[1]".
A soft-link is needed because of the filtering(prohibiting the "flag" keyword).
I surrounded the whole with single quotes. because double quote interprets inner contents. This may be caught by the filtering.
"echo" is shell builtin command so it is available even if the environment variable PATH is removed.
"\57" is octal data, it is same as "/". I want to use hexadecimal data "\x2F(= / )", but the bourne shell can't interpret it. "system()" function uses bourne shell internally(=sh -c ~).
* check ASCII code : [Link]
The data in the single quote is delivered to "system()", but It just a string(no execution). To execute it, it has to be surrounded by back quotes. But I used $() because back quote(`) is blocked.