On 2 June 2010 15:42, Dan King <[email protected]> wrote: > I created the following script: > > #!/bin/bash > QUERY_STRING=$1 > cat /tmp/`echo $QUERY_STRING | sed "s/-//g"`.ext > > Then I ran this from the command line: > > sh test.sh `echo "blah">test.foo` > > The file 'test.foo' was created as expected. I changed the script to look > like this and it also wrote the file: > > #!/bin/bash > QUERY_STRING="`echo "blah">test.foo`" > cat /tmp/`echo $QUERY_STRING | sed "s/-//g"`.ext
So wrapping the command I want to run in backticks lets it run. Just did the test and agree that works. Thanks, I'll remember that for next time. Robin > > > On Tue, Jun 1, 2010 at 5:03 PM, Robin Wood <[email protected]> wrote: >> >> Earlier today I was asked if I could work out a way to get command >> injection through the code below. I couldn't work out a way to do it >> but hopefully (here's looking at you Ed) someone else can work >> something out. >> >> The vulnerable line is: >> >> cat /tmp/`echo $QUERY_STRING | sed "s/-//g"`.ext >> >> and I'm looking for command injection or a way to create a new file as >> this is on a web server so I could create a web page shell script. I >> know that I've got the ability to read any file, I'm not after that. >> >> The obvious thing to do is to set $QUERY_STRING to something like >> >> x ; echo 'hi' > /www/hi.html >> >> but that doesn't work. I get >> >> cat: x: No such file or directory >> cat: ;: No such file or directory >> cat: echo: No such file or directory >> cat: 'hi': No such file or directory >> cat: >: No such file or directory >> cat: /www/hi.html.ext: No such file or directory >> >> however if I put the value of QUERY_STRING directly into the statement >> then it does work and the file is created. The fact that QUERY_STRING >> is a variable means it is treated differently than if the commands >> were just put inline. >> >> Any tips? >> >> Robin >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > > > -- > I live in a world of cold steel and dungeons and mighty foes... > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
