Re: [Pauldotcom] Command injection with no spaces

Thu, 14 Jun 2012 15:07:55 -0700 

 I am going to give this a go on the system tomorrow.

 Feedback to follow.

 On Thu 14/06/12 17:03 , "Frisch, Daniel (JUS)" [email protected]
sent:
     I like Jim font-size: 10pt;" class="091444714-14062012"> 
SP=$'x20';cat$SP/etc/passwd|tail$SP-n+1|head$SP-n+1   do you get the
first line of the password file? If so, you could loop from 1 to n to
retrieve each line of the file, just replace {INDEX} below with the line
you want to read:  
SP=$'x20';cat$SP/etc/passwd|tail$SP-n+{INDEX}|head$SP-n+1   Dan    

-------------------------
 From: [email protected]
[mailto:[email protected]] On Behalf Of Matt Summers
 Sent: June 14, 2012 8:25 AM
 To: PaulDotCom Security Weekly Mailing List
 Subject: Re: [Pauldotcom] Command injection with no spaces

  I haven't tried tabs.

 One thing I forgot to mention is that the limitation on space is because
the web server converts the space to %20 and this cant be interpreted by
the shell.

 On Thu 14/06/12 14:14 , "Robin Wood" [email protected] sent:
  On 14 June 2012 10:18, Matt Summers  wrote:
 > Folks,
 >
 > We came across an interesting bug in a web system where we could
execute any
 > system command (on AIX) but we could not enter any spaces in the
command and
 > we would only get the last line of STDOUT.
 >
 > Has anyone else come across anything like this?
 >
 > The most we were able to do was cat the last line from system files and
 > determine if a directory existed.
 >
 > Cheers,

 Have you tried using tabs instead of spaces?

 Robin

 > Matt
 >
 > --- Part time worker full time salary ---
 > _______________________________________________
 > Pauldotcom mailing list
 > [email protected]
 > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
[1]">http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
 > Main Web Site: http://pauldotcom.com%3C/A%3E [2]">http://pauldotcom.com

  

Links:
------
[1] http://webmail.easyspace.com/%20target=
[2] http://pauldotcom.com%3C/A%3E

_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Reply via email to