Vulnerability Development mailing list archives
Re: shell script cgi
From: Brian Hatch <vuln-dev () ifokr org>
Date: Sat, 16 Nov 2002 08:29:38 -0800
thought the wrong way in my last message. Try the following string for $HTTP_USER_AGENT: "`cat /etc/passwd`"
The HTTP_USER_AGENT string is set by Apache (etc)
as an environment variable. Let's make the unradical
assumption that your browser is not a shell script,
and thus is setting it correctly without any shell
expansion problems possible. So HTTP_USER_AGENT is
set to
`cat /etc/passwd`
To emulate this, let's set it ourselves in a normal shell:
bash$ export VAR='`cat /etc/passwd`'
bash$ echo $VAR
`cat /etc/passwd`
I use the single quotes here to make sure no expansion
tricks are possible, which is how your web browser will
work. The var is set exactly. Excellent. Can we abuse
it?
bash$ echo $VAR
`cat /etc/passwd`
bash$ echo "$VAR"
`cat /etc/passwd`
Nope. How 'bout if we have:
bash$ export VAR='blahblahblah *'
bash$ echo $VAR
blahblahblah file1.cgi file2.cgi file3.cgi
bash$ echo "$VAR"
blahblahblah *
See that with no quotes you can get a file listing through
shell expansion.
--
Brian Hatch I used to be a lumberjack,
Systems and but I just couldn't hack
Security Engineer it, so they gave me the ax.
http://www.ifokr.org/bri/
Every message PGP signed
Attachment:
_bin
Description:
Current thread:
- Re: shell script cgi, (continued)
- Re: shell script cgi Nick Jacobsen (Nov 16)
- Re: shell script cgi Ed Schmollinger (Nov 17)
- Re: shell script cgi (summary?) c jones (Nov 18)
- Re: shell script cgi (summary?) Brian Fury (Nov 19)
- Re: shell script cgi (summary?) Andre Breiler (Nov 20)
- Re: shell script cgi (summary?) Philip Rowlands (Nov 20)
- Re: shell script cgi (summary?) Brian Hatch (Nov 19)
- Re: shell script cgi Nick Jacobsen (Nov 16)
- Re: shell script cgi Rajko Zschiegner (Nov 16)
- Re: shell script cgi mlh (Nov 18)
- RE: shell script cgi Rajko Zschiegner (Nov 16)
- Re: shell script cgi Brian Hatch (Nov 16)
- Re: shell script cgi Ralf Dreibrodt (Nov 17)
- Re: shell script cgi mlh (Nov 18)
- Re: shell script cgi Brian Hatch (Nov 16)
