PaulDotCom mailing list archives

Re: Command injection with no spaces

From: Joshua Wright <jwright () hasborg com>
Date: Thu, 14 Jun 2012 21:46:00 -0400

On 6/14/2012 9:01 AM, Joe Sylve wrote:

Try something like this for command execution:

CMD=$'cat\x20/etc/passwd';$CMD

On Thu, Jun 14, 2012 at 7:25 AM, Matt Summers
<matt () fireantsecurity co uk <mailto:matt () fireantsecurity co uk>> wrote:

    I haven't tried tabs.

    One thing I forgot to mention is that the limitation on space is
    because the web server converts the space to %20 and this cant be
    interpreted by the shell.


Can you just use $IFS for spaces, like this bug:

http://www.mailchannels.com/blog/2009/07/amazing-new-exploit-for-linksys-routers-running-dd-wrt/

Or this classic tome:

http://www.scribd.com/doc/81408484/56/The-Ping-Hack

-Josh

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Command injection with no spaces Matt Summers (Jun 14)
- Re: Command injection with no spaces Jim Halfpenny (Jun 14)
- Re: Command injection with no spaces Pat Moloney (Jun 14)
- Re: Command injection with no spaces Robin Wood (Jun 14)
- <Possible follow-ups>
- Re: Command injection with no spaces Matt Summers (Jun 14)
  - Re: Command injection with no spaces Frisch, Daniel (JUS) (Jun 14)
  - Re: Command injection with no spaces Joe Sylve (Jun 14)
    - Re: Command injection with no spaces Joshua Wright (Jun 14)
    - Re: Command injection with no spaces Champ Clark III (Jun 14)
  - Re: Command injection with no spaces Tim Tomes (Jun 14)
- Re: Command injection with no spaces Matt Summers (Jun 14)
- Re: Command injection with no spaces Matt Summers (Jun 14)
- Re: Command injection with no spaces Matt Summers (Jun 15)