Vulnerability Development mailing list archives
Re: shell script cgi
From: Brian Hatch <vuln-dev () ifokr org>
Date: Sat, 16 Nov 2002 08:29:38 -0800
thought the wrong way in my last message. Try the following string for $HTTP_USER_AGENT: "`cat /etc/passwd`"
The HTTP_USER_AGENT string is set by Apache (etc) as an environment variable. Let's make the unradical assumption that your browser is not a shell script, and thus is setting it correctly without any shell expansion problems possible. So HTTP_USER_AGENT is set to `cat /etc/passwd` To emulate this, let's set it ourselves in a normal shell: bash$ export VAR='`cat /etc/passwd`' bash$ echo $VAR `cat /etc/passwd` I use the single quotes here to make sure no expansion tricks are possible, which is how your web browser will work. The var is set exactly. Excellent. Can we abuse it? bash$ echo $VAR `cat /etc/passwd` bash$ echo "$VAR" `cat /etc/passwd` Nope. How 'bout if we have: bash$ export VAR='blahblahblah *' bash$ echo $VAR blahblahblah file1.cgi file2.cgi file3.cgi bash$ echo "$VAR" blahblahblah * See that with no quotes you can get a file listing through shell expansion. -- Brian Hatch I used to be a lumberjack, Systems and but I just couldn't hack Security Engineer it, so they gave me the ax. http://www.ifokr.org/bri/ Every message PGP signed
Attachment:
_bin
Description:
Current thread:
- Re: shell script cgi, (continued)
- Re: shell script cgi Nick Jacobsen (Nov 16)
- Re: shell script cgi Ed Schmollinger (Nov 17)
- Re: shell script cgi (summary?) c jones (Nov 18)
- Re: shell script cgi (summary?) Brian Fury (Nov 19)
- Re: shell script cgi (summary?) Andre Breiler (Nov 20)
- Re: shell script cgi (summary?) Philip Rowlands (Nov 20)
- Re: shell script cgi (summary?) Brian Hatch (Nov 19)
- Re: shell script cgi Nick Jacobsen (Nov 16)
- Re: shell script cgi Rajko Zschiegner (Nov 16)
- Re: shell script cgi mlh (Nov 18)
- RE: shell script cgi Rajko Zschiegner (Nov 16)
- Re: shell script cgi Brian Hatch (Nov 16)
- Re: shell script cgi Ralf Dreibrodt (Nov 17)
- Re: shell script cgi mlh (Nov 18)
- Re: shell script cgi Brian Hatch (Nov 16)