浅浅谈一谈一题的perl的open函数#

给了源码，就是perl的审计，问题不大，很快看懂了

1
#!/usr/bin/perl
2

3
use strict;
4
use warnings;
5
use HTTP::Daemon;
6
use HTTP::Status;
7
use File::Spec;
8
use File::MimeInfo::Simple;  # cpan install File::MimeInfo::Simple
9
use File::Basename;
10
use CGI qw(escapeHTML);
11

12
my $webroot = "./files";
13

14
my $d = HTTP::Daemon->new(LocalAddr => '0.0.0.0', LocalPort => 8080, Reuse => 1) || die "Failed to start server: $!";
15

16
print "Server running at: ", $d->url, "\n";
17

18
while (my $c = $d->accept) {
19
    while (my $r = $c->get_request) {
20
        if ($r->method eq 'GET') {
21
            my $path = CGI::unescape($r->uri->path);
22
            $path =~ s|^/||;     # Remove leading slash
23
            $path ||= 'index.html';
24

25
            my $fullpath = File::Spec->catfile($webroot, $path);
26

27
            if ($fullpath =~ /\.\.|[,\`\)\(;&]|\|.*\|/) {
28
                $c->send_error(RC_BAD_REQUEST, "Invalid path");
29
                next;
30
            }
31

32
            if (-d $fullpath) {
33
                # Serve directory listing
34
                opendir(my $dh, $fullpath) or do {
35
                    $c->send_error(RC_FORBIDDEN, "Cannot open directory.");
36
                    next;
37
                };
38

39
                my @files = readdir($dh);
40
                closedir($dh);
41

42
                my $html = "<html><body><h1>Index of /$path</h1><ul>";
43
                foreach my $f (@files) {
44
                    next if $f =~ /^\./;  # Skip dotfiles
45
                    my $link = "$path/$f";
46
                    $link =~ s|//|/|g;
47
                    $html .= qq{<li><a href="/$link">} . escapeHTML($f) . "</a></li>";
48
                }
49
                $html .= "</ul></body></html>";
50

51
                my $resp = HTTP::Response->new(RC_OK);
52
                $resp->header("Content-Type" => "text/html");
53
                $resp->content($html);
54
                $c->send_response($resp);
55

56
            } else {
57
                open(my $fh, $fullpath) or do {
58
                    $c->send_error(RC_INTERNAL_SERVER_ERROR, "Could not open file.");
59
                    next;
60
                };
61
                binmode $fh;
62
                my $content = do { local $/; <$fh> };
63
                close $fh;
64

65
                my $mime = 'text/html';
66

67
                my $resp = HTTP::Response->new(RC_OK);
68
                $resp->header("Content-Type" => $mime);
69
                $resp->content($content);
70
                $c->send_response($resp);
71
            }
72
        } else {
73
            $c->send_error(RC_METHOD_NOT_ALLOWED);
74
        }
75
    }
76
    $c->close;
77
    undef($c);
78
}

解释一下，大致就是服务端捕获客户端请求，然后去进行一系列的过滤，最后去拼接的一个过程，这个过程没有什么命令执行啥的，但是，这里open有个特性，如果open后面有俩参数，而我们可以控制其中一个的时候，我们可以用管道符，就像open( my $a,$ kk)如果$kk后面跟|，那么就会被当成命令丢给shell，然后本来是要拼接./file/xxxx的，我们要使它是一个独立的命令，所以用换行符编码%0a,然后就