bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug on function.


From: Kelvin Tan Thiam Teck
Subject: Re: Bug on function.
Date: Tue, 8 Dec 2015 16:12:52 +0800

Hi, Let me start the story in this way.  Please note on param 10 onwards to param 19. why is my param 1 merge with param 10 - 19.
dumbass@Lucifer:~$ ./repo.sh  a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
param 1: a
param 2: 1
param 3: 2
param 4: 3
param 5: 4
param 6: 5
param 7: 6
param 8: 7
param 9: 8
param 10: a0
param 11: a1
param 12: a2
param 13: a3
param 14: a4
param 15: a5
param 16: a6
param 17: a7
param 18: a8
param 19: a9
param 20: 10

Execution Section. the initial mail is successfully inserting the command reboot into 18th param which trigger system reboot.
./repo.sh  a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

Script  Section
#!/bin/bash
function gateway {
echo "param 1: $1"
echo "param 2: $2"
echo "param 3: $3"
echo "param 4: $4"
echo "param 5: $5"
echo "param 6: $6"
echo "param 7: $7"
echo "param 8: $8"
echo "param 9: $9"
echo "param 10: $10"
echo "param 11: $11"
echo "param 12: $12"
echo "param 13: $13"
echo "param 14: $14"
echo "param 15: $15"
echo "param 16: $16"
echo "param 17: $17"
echo "param 18: $18"
echo "param 19: $19"
echo "param 20: $20"

}
gateway $*

On Tue, Dec 8, 2015 at 3:58 PM, Kelvin Tan Thiam Teck <kelvintx3@gmail.com> wrote:
dumbass@Lucifer:~$ ./report.sh "echo ln -s /sbin/halt; mv halt ;reboot8 ; reboot" AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA
Before Passing Thru Function: echo ln -s /sbin/halt; mv halt ;reboot8 ; reboot AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA
reboot: Need to be root
9th:
10th: echo0
11th: echo1
12th: echo2
13th: echo3
14th: echo4
15th: echo5
16th: echo6
17th: echo7
./report.sh: line 29: echo8: command not found
19th: echo9
20th: ln0
dumbass@Lucifer:~$


On Tue, Dec 8, 2015 at 3:27 PM, Pierre Gaston <pierre.gaston@gmail.com> wrote:
On Tue, Dec 8, 2015 at 9:16 AM, Kelvin Tan Thiam Teck <kelvintx3@gmail.com> wrote:
Hi,
Please try my payload on that script, before telling me what $@ and $* does. and see if my param1 injection will cause your system to reboot on 18th param. it has nothing to do with $@ & $*, it's another bugs on bash which i found out, similar to shockbash, except it's harder to execute due to the requirement for it to happen.


Regards
KT

 
But it's code injection because your script is badly written, it's not a bug in bash.
It's badly written because without quotes around "$@" the parameters are split into words and then you tell bash to execute one of these words.
Bash does what it is supposed to do in your example.

And yes, there are many many way to write a script that allows code injections.

Shellshock was entirely different in that it allowed to inject code no matter how the script was written..




reply via email to

[Prev in Thread] Current Thread [Next in Thread]