|
From: | Kelvin Tan Thiam Teck |
Subject: | Re: Bug on function. |
Date: | Tue, 8 Dec 2015 16:15:09 +0800 |
On Tue, Dec 8, 2015 at 9:58 AM, Kelvin Tan Thiam Teck <kelvintx3@gmail.com> wrote:dumbass@Lucifer:~$ ./report.sh "echo ln -s /sbin/halt; mv halt ;reboot8 ; reboot" AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA
Before Passing Thru Function: echo ln -s /sbin/halt; mv halt ;reboot8 ; reboot AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA
reboot: Need to be root
9th:
10th: echo0
11th: echo1
12th: echo2
13th: echo3
14th: echo4
15th: echo5
16th: echo6
17th: echo7
./report.sh: line 29: echo8: command not found
19th: echo9
20th: ln0
dumbass@Lucifer:~$I think you misunderstand me, I'm not denying that you inject some code. What I'm saying is that the bug is in your code.Here is a simpler way to reproduce:
cat inject
#!/bin/bash
function foo {
"$2"
}
foo $*
$ ./inject "blah date"
Tue Dec 8 10:08:45 EET 2015You can see that "date" is executed, but it's a bug in the script, $* is split in 2 as it is supposed to and foo receives 2 arguments.you can fix the bug using "$@"
$ vi inject
$ cat inject
#!/bin/bash
function foo {
"$2"
}
foo "$@"
$ ./inject "blah date"
./inject: line 3: : command not foundNow the arguments are not split again and foo receives only one argument, hence the error.As I said, there are many pitfalls in shellscript that's why allowing running a script with more privilege than the user have is dangerous.
[Prev in Thread] | Current Thread | [Next in Thread] |