PaulDotCom mailing list archives

Re: Command injection with no spaces

From: Matt Summers <matt () fireantsecurity co uk>
Date: Thu, 14 Jun 2012 18:19:08 +0100

 I am going to give this a go on the system tomorrow.

 Feedback to follow.

 On Thu 14/06/12 17:03 , "Frisch, Daniel (JUS)" Daniel.Frisch () ontario ca
sent:
     I like Jim font-size: 10pt;" class="091444714-14062012"> 
SP=$'x20';cat$SP/etc/passwd|tail$SP-n+1|head$SP-n+1   do you get the
first line of the password file? If so, you could loop from 1 to n to
retrieve each line of the file, just replace {INDEX} below with the line
you want to read:  
SP=$'x20';cat$SP/etc/passwd|tail$SP-n+{INDEX}|head$SP-n+1   Dan    

-------------------------
 From: pauldotcom-bounces () mail pauldotcom com
[mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Matt Summers
 Sent: June 14, 2012 8:25 AM
 To: PaulDotCom Security Weekly Mailing List
 Subject: Re: [Pauldotcom] Command injection with no spaces

  I haven't tried tabs.

 One thing I forgot to mention is that the limitation on space is because
the web server converts the space to %20 and this cant be interpreted by
the shell.

 On Thu 14/06/12 14:14 , "Robin Wood" robin () digininja org sent:
  On 14 June 2012 10:18, Matt Summers  wrote:

Folks,

We came across an interesting bug in a web system where we could

execute any

system command (on AIX) but we could not enter any spaces in the

command and

we would only get the last line of STDOUT.

Has anyone else come across anything like this?

The most we were able to do was cat the last line from system files and
determine if a directory existed.

Cheers,


 Have you tried using tabs instead of spaces?

 Robin

Matt

--- Part time worker full time salary ---
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom

[1]">http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom

Main Web Site: http://pauldotcom.com%3C/A%3E [2]">http://pauldotcom.com


  

Links:
------
[1] http://webmail.easyspace.com/%20target=
[2] http://pauldotcom.com%3C/A%3E

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Re: Command injection with no spaces, (continued)
- Re: Command injection with no spaces Jim Halfpenny (Jun 14)
- Re: Command injection with no spaces Pat Moloney (Jun 14)
- Re: Command injection with no spaces Robin Wood (Jun 14)
- Re: Command injection with no spaces Matt Summers (Jun 14)
  - Re: Command injection with no spaces Frisch, Daniel (JUS) (Jun 14)
  - Re: Command injection with no spaces Joe Sylve (Jun 14)
    - Re: Command injection with no spaces Joshua Wright (Jun 14)
    - Re: Command injection with no spaces Champ Clark III (Jun 14)
  - Re: Command injection with no spaces Tim Tomes (Jun 14)
- Re: Command injection with no spaces Matt Summers (Jun 14)
- Re: Command injection with no spaces Matt Summers (Jun 14)
- Re: Command injection with no spaces Matt Summers (Jun 15)