Vulnerability Development mailing list archives

Re: shell script cgi


From: "Nick Jacobsen" <nick () ethicsdesign com>
Date: Sat, 16 Nov 2002 01:44:15 -0800

Have you considered including qoute characters in the HTTP_USER_AGENT field?
like so:
$HTTP_USER_AGENT = "" | cat "/etc/passwd"
if you do this, the ua=`echo "$HTTP_USER_AGENT" | sed "s#\;##g"` stirng will
come out looking like the following:
ua=`echo "" | cat "/etc/passwd" | sed "s#\;##g"`
all you are doing is terminating the echo text with a qoute character, and
then adding another qoute character before the filename so that the command
will be interpreted correctly...
Let me know if this works, but it should...


Nick Jacobsen
Ethics Design
nick () ethicsdesign com

----- Original Message -----
From: "Philip Rowlands" <phr () doc ic ac uk>
To: <vuln-dev () securityfocus com>
Sent: Thursday, November 14, 2002 4:23 PM
Subject: Re: shell script cgi


On Thu, 14 Nov 2002, c jones wrote:

I have found the line below in an sh cgi program, and believe I can
pass a command to the shell but can't seem to get it to work right.
[snip]
ua=`echo "$HTTP_USER_AGENT" | sed "s#\;##g"`

The quotes around HTTP_USER_AGENT prevent any "chained commands", e.g.
'Mozilla 6; rm -rf /'.

Perhaps you're confusing the backticks; they execute the line given in
the script, not the result of the 'echo ...; sed'.

I don't see any way here to manipulate the input to execute arbitrary
code.


Cheers,

Phil



Current thread: