Re: Command injection with no spaces

[Matt Summers <matt () fireantsecurity co uk>]

 Thanks for all the suggestions and thanks to Josh....it worked a treat.

 On Fri 15/06/12 03:46 , "Joshua Wright" jwright () hasborg com sent:
 On 6/14/2012 9:01 AM, Joe Sylve wrote:
> Try something like this for command execution:
>
> CMD=$'catx20/etc/passwd';$CMD
>
> On Thu, Jun 14, 2012 at 7:25 AM, Matt Summers
>  wrote:
>
> I haven't tried tabs.
>
> One thing I forgot to mention is that the limitation on space is
> because the web server converts the space to %20 and this cant be
> interpreted by the shell.

 Can you just use $IFS for spaces, like this bug:


http://www.mailchannels.com/blog/2009/07/amazing-new-exploit-for-linksys-routers-running-dd-wrt/
[1]">http://www.mailchannels.com/blog/2009/07/amazing-new-exploit-for-linksys-routers-running-dd-wrt/

 Or this classic tome:

 http://www.scribd.com/doc/81408484/56/The-Ping-Hack
[2]">http://www.scribd.com/doc/81408484/56/The-Ping-Hack

 -Josh

 _______________________________________________
 Pauldotcom mailing list
 Pauldotcom () mail pauldotcom com
 http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
[3]">http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
 Main Web Site: http://pauldotcom.com [4]">http://pauldotcom.com

 

Links:
------
[1]
http://www.mailchannels.com/blog/2009/07/amazing-new-exploit-for-linksys-routers-running-dd-wrt/
[2] http://www.scribd.com/doc/81408484/56/The-Ping-Hack
[3] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
[4] http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com