PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

escaping backticks

From: robin at digininja.org (Robin Wood)
Date: Wed, 2 Jun 2010 16:52:05 +0100
On 2 June 2010 15:42, Dan King <xxsegfaultxx at gmail.com> wrote:

I created the following script:

#!/bin/bash
QUERY_STRING=$1
cat /tmp/`echo $QUERY_STRING | sed "s/-//g"`.ext

Then I ran this from the command line:

sh test.sh `echo "blah">test.foo`

The file 'test.foo' was created as expected. I changed the script to look
like this and it also wrote the file:

#!/bin/bash
QUERY_STRING="`echo "blah">test.foo`"
cat /tmp/`echo $QUERY_STRING | sed "s/-//g"`.ext


So wrapping the command I want to run in backticks lets it run. Just
did the test and agree that works. Thanks, I'll remember that for next
time.

Robin





On Tue, Jun 1, 2010 at 5:03 PM, Robin Wood <robin at digininja.org> wrote:


Earlier today I was asked if I could work out a way to get command
injection through the code below. I couldn't work out a way to do it
but hopefully (here's looking at you Ed) someone else can work
something out.

The vulnerable line is:

cat /tmp/`echo $QUERY_STRING | sed "s/-//g"`.ext

and I'm looking for command injection or a way to create a new file as
this is on a web server so I could create a web page shell script. I
know that I've got the ability to read any file, I'm not after that.

The obvious thing to do is to set $QUERY_STRING to something like

x ; echo 'hi' > /www/hi.html

but that doesn't work. I get

cat: x: No such file or directory
cat: ;: No such file or directory
cat: echo: No such file or directory
cat: 'hi': No such file or directory
cat: >: No such file or directory
cat: /www/hi.html.ext: No such file or directory

however if I put the value of QUERY_STRING directly into the statement
then it does work and the file is created. The fact that QUERY_STRING
is a variable means it is treated differently than if the commands
were just put inline.

Any tips?

Robin
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




--
I live in a world of cold steel and dungeons and mighty foes...

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: