bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug on function.


From: Kelvin Tan Thiam Teck
Subject: Re: Bug on function.
Date: Tue, 8 Dec 2015 15:58:15 +0800

dumbass@Lucifer:~$ ./report.sh "echo ln -s /sbin/halt; mv halt ;reboot8 ; reboot" AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA
Before Passing Thru Function: echo ln -s /sbin/halt; mv halt ;reboot8 ; reboot AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA
reboot: Need to be root
9th:
10th: echo0
11th: echo1
12th: echo2
13th: echo3
14th: echo4
15th: echo5
16th: echo6
17th: echo7
./report.sh: line 29: echo8: command not found
19th: echo9
20th: ln0
dumbass@Lucifer:~$


On Tue, Dec 8, 2015 at 3:27 PM, Pierre Gaston <pierre.gaston@gmail.com> wrote:
On Tue, Dec 8, 2015 at 9:16 AM, Kelvin Tan Thiam Teck <kelvintx3@gmail.com> wrote:
Hi,
Please try my payload on that script, before telling me what $@ and $* does. and see if my param1 injection will cause your system to reboot on 18th param. it has nothing to do with $@ & $*, it's another bugs on bash which i found out, similar to shockbash, except it's harder to execute due to the requirement for it to happen.


Regards
KT

 
But it's code injection because your script is badly written, it's not a bug in bash.
It's badly written because without quotes around "$@" the parameters are split into words and then you tell bash to execute one of these words.
Bash does what it is supposed to do in your example.

And yes, there are many many way to write a script that allows code injections.

Shellshock was entirely different in that it allowed to inject code no matter how the script was written..



reply via email to

[Prev in Thread] Current Thread [Next in Thread]