I like Jim & Pat's suggestions. Combining them, if you input this:
SP=$'\x20';cat$SP/etc/passwd|tail$SP-n+1|head$SP-n+1
do you get the first line of the password file? If so, you could loop
from 1 to n to retrieve each line of the file, just replace {INDEX}
below with the line you want to read:
SP=$'\x20';cat$SP/etc/passwd|tail$SP-n+{INDEX}|head$SP-n+1
Dan
________________________________
From: [email protected]
[mailto:[email protected]] On Behalf Of Matt
Summers
Sent: June 14, 2012 8:25 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Command injection with no spaces
I haven't tried tabs.
One thing I forgot to mention is that the limitation on space is because
the web server converts the space to %20 and this cant be interpreted by
the shell.
On Thu 14/06/12 14:14 , "Robin Wood" [email protected] sent:
On 14 June 2012 10:18, Matt Summers <[email protected]
<javascript:top.opencompose('[email protected]','','','')> >
wrote:
> Folks,
>
> We came across an interesting bug in a web system where we
could execute any
> system command (on AIX) but we could not enter any spaces in
the command and
> we would only get the last line of STDOUT.
>
> Has anyone else come across anything like this?
>
> The most we were able to do was cat the last line from system
files and
> determine if a directory existed.
>
> Cheers,
Have you tried using tabs instead of spaces?
Robin
> Matt
>
> --- Part time worker full time salary ---
> _______________________________________________
> Pauldotcom mailing list
> [email protected]
<javascript:top.opencompose('[email protected]','','','')>
>
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom";>http://m
ail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com";>http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
