Vulnerability Development mailing list archives
Re: shell script cgi
From: Ed Schmollinger <schmolli () frozencrow org>
Date: Sun, 17 Nov 2002 08:58:00 -0600
On Sat, Nov 16, 2002 at 01:44:15AM -0800, Nick Jacobsen wrote:
Have you considered including qoute characters in the HTTP_USER_AGENT field? like so: $HTTP_USER_AGENT = "" | cat "/etc/passwd" if you do this, the ua=`echo "$HTTP_USER_AGENT" | sed "s#\;##g"` stirng will come out looking like the following: ua=`echo "" | cat "/etc/passwd" | sed "s#\;##g"` all you are doing is terminating the echo text with a qoute character, and then adding another qoute character before the filename so that the command will be interpreted correctly... Let me know if this works, but it should...
That would require your string to be expanded twice, just like all the other examples that don't do anything bad. echo doesn't expand its arguments, and the shell only expands variables once. It doesn't matter what you set $HTTP_USER_AGENT to. It's quoted. The worst that you can do with that code snippet is to pass a goofy looking value to sed via stdin. If you're looking for something to exploit, look at how the variable $ua is used later on in the script. -- Ed Schmollinger - schmolli () frozencrow org
Attachment:
_bin
Description:
Current thread:
- shell script cgi c jones (Nov 14)
- Re: shell script cgi Brian Hatch (Nov 14)
- Re: shell script cgi c jones (Nov 15)
- Re: shell script cgi Philip Rowlands (Nov 16)
- Re: shell script cgi Nick Jacobsen (Nov 16)
- Re: shell script cgi Ed Schmollinger (Nov 17)
- Re: shell script cgi (summary?) c jones (Nov 18)
- Re: shell script cgi (summary?) Brian Fury (Nov 19)
- Re: shell script cgi (summary?) Andre Breiler (Nov 20)
- Re: shell script cgi (summary?) Philip Rowlands (Nov 20)
- Re: shell script cgi (summary?) Brian Hatch (Nov 19)
- Re: shell script cgi Nick Jacobsen (Nov 16)
- Re: shell script cgi Brian Hatch (Nov 14)
- Re: shell script cgi Rajko Zschiegner (Nov 16)
- Re: shell script cgi mlh (Nov 18)
- <Possible follow-ups>
- RE: shell script cgi Rajko Zschiegner (Nov 16)
- Re: shell script cgi Brian Hatch (Nov 16)
- Re: shell script cgi Ralf Dreibrodt (Nov 17)
- Re: shell script cgi Brian Hatch (Nov 16)