PaulDotCom mailing list archives

Re: Command injection with no spaces

From: "Frisch, Daniel (JUS)" <Daniel.Frisch () ontario ca>
Date: Thu, 14 Jun 2012 11:03:16 -0400

I like Jim & Pat's suggestions. Combining them, if you input this:
 
SP=$'\x20';cat$SP/etc/passwd|tail$SP-n+1|head$SP-n+1
 
do you get the first line of the password file? If so, you could loop
from 1 to n to retrieve each line of the file, just replace {INDEX}
below with the line you want to read:
 
SP=$'\x20';cat$SP/etc/passwd|tail$SP-n+{INDEX}|head$SP-n+1
 
Dan
 
 

________________________________

From: pauldotcom-bounces () mail pauldotcom com
[mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Matt
Summers
Sent: June 14, 2012 8:25 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Command injection with no spaces


I haven't tried tabs.

One thing I forgot to mention is that the limitation on space is because
the web server converts the space to %20 and this cant be interpreted by
the shell.



On Thu 14/06/12 14:14 , "Robin Wood" robin () digininja org sent:


        On 14 June 2012 10:18, Matt Summers <matt () fireantsecurity co uk
<javascript:top.opencompose('matt () fireantsecurity co uk','','','')> >
wrote:
        > Folks,
        >
        > We came across an interesting bug in a web system where we
could execute any
        > system command (on AIX) but we could not enter any spaces in
the command and
        > we would only get the last line of STDOUT.
        >
        > Has anyone else come across anything like this?
        >
        > The most we were able to do was cat the last line from system
files and
        > determine if a directory existed.
        >
        > Cheers,
        
        Have you tried using tabs instead of spaces?
        
        Robin
        
        > Matt
        >
        > --- Part time worker full time salary ---
        > _______________________________________________
        > Pauldotcom mailing list
        > Pauldotcom () mail pauldotcom com
<javascript:top.opencompose('Pauldotcom () mail pauldotcom com','','','')> 
        >
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom";>http://m
ail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
        > Main Web Site: http://pauldotcom.com";>http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Command injection with no spaces Matt Summers (Jun 14)
- Re: Command injection with no spaces Jim Halfpenny (Jun 14)
- Re: Command injection with no spaces Pat Moloney (Jun 14)
- Re: Command injection with no spaces Robin Wood (Jun 14)
- <Possible follow-ups>
- Re: Command injection with no spaces Matt Summers (Jun 14)
  - Re: Command injection with no spaces Frisch, Daniel (JUS) (Jun 14)
  - Re: Command injection with no spaces Joe Sylve (Jun 14)
    - Re: Command injection with no spaces Joshua Wright (Jun 14)
    - Re: Command injection with no spaces Champ Clark III (Jun 14)
  - Re: Command injection with no spaces Tim Tomes (Jun 14)
- Re: Command injection with no spaces Matt Summers (Jun 14)
- Re: Command injection with no spaces Matt Summers (Jun 14)
- Re: Command injection with no spaces Matt Summers (Jun 15)