[Pauldotcom] escaping backticks
Robin Wood
robin at digininja.org
Tue Jun 1 21:03:05 UTC 2010
Earlier today I was asked if I could work out a way to get command
injection through the code below. I couldn't work out a way to do it
but hopefully (here's looking at you Ed) someone else can work
something out.
The vulnerable line is:
cat /tmp/`echo $QUERY_STRING | sed "s/-//g"`.ext
and I'm looking for command injection or a way to create a new file as
this is on a web server so I could create a web page shell script. I
know that I've got the ability to read any file, I'm not after that.
The obvious thing to do is to set $QUERY_STRING to something like
x ; echo 'hi' > /www/hi.html
but that doesn't work. I get
cat: x: No such file or directory
cat: ;: No such file or directory
cat: echo: No such file or directory
cat: 'hi': No such file or directory
cat: >: No such file or directory
cat: /www/hi.html.ext: No such file or directory
however if I put the value of QUERY_STRING directly into the statement
then it does work and the file is created. The fact that QUERY_STRING
is a variable means it is treated differently than if the commands
were just put inline.
Any tips?
Robin
More information about the Pauldotcom
mailing list