PaulDotCom mailing list archives
escaping backticks
From: xxsegfaultxx at gmail.com (Dan King)
Date: Wed, 2 Jun 2010 10:42:53 -0400
I created the following script: *#!/bin/bash QUERY_STRING=$1 cat /tmp/`echo $QUERY_STRING | sed "s/-//g"`.ext* Then I ran this from the command line: *sh test.sh `echo "blah">test.foo` * The file 'test.foo' was created as expected. I changed the script to look like this and it also wrote the file: *#!/bin/bash QUERY_STRING="`echo "blah">test.foo`" cat /tmp/`echo $QUERY_STRING | sed "s/-//g"`.ext* On Tue, Jun 1, 2010 at 5:03 PM, Robin Wood <robin at digininja.org> wrote:
Earlier today I was asked if I could work out a way to get command injection through the code below. I couldn't work out a way to do it but hopefully (here's looking at you Ed) someone else can work something out. The vulnerable line is: cat /tmp/`echo $QUERY_STRING | sed "s/-//g"`.ext and I'm looking for command injection or a way to create a new file as this is on a web server so I could create a web page shell script. I know that I've got the ability to read any file, I'm not after that. The obvious thing to do is to set $QUERY_STRING to something like x ; echo 'hi' > /www/hi.html but that doesn't work. I get cat: x: No such file or directory cat: ;: No such file or directory cat: echo: No such file or directory cat: 'hi': No such file or directory cat: >: No such file or directory cat: /www/hi.html.ext: No such file or directory however if I put the value of QUERY_STRING directly into the statement then it does work and the file is created. The fact that QUERY_STRING is a variable means it is treated differently than if the commands were just put inline. Any tips? Robin _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- I live in a world of cold steel and dungeons and mighty foes... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100602/c984a04a/attachment.htm
Current thread:
- escaping backticks Robin Wood (Jun 01)
- escaping backticks Dan King (Jun 02)
- escaping backticks Robin Wood (Jun 02)
- escaping backticks Dan King (Jun 02)