|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Brian Fury (brianfury_at_blueyonder.co.uk)
Date: Tue Nov 19 2002 - 00:40:28 CST
On Mon, 18 Nov 2002, you wrote:
> Thanks to everyone who replied regarding my attempts
> to stuff shell commands into this line:
>
> > ua=`echo "$HTTP_USER_AGENT" | sed "s#\;##g"`
Obviously I can't speak authoratively here... I mean the ueber-skilled
team vuln-dev people who are payed to do this sort of thing may have
top-secret zero-day reasons why this might not work.... but hey it worked for
me.
[root
localhost lib]# export LAME=""whoami""""
[rootlocalhost lib]# `echo "$LAME" | sed "s#\;##g"`
root
[rootlocalhost lib]#
wh00pz - lookz like command execution to me
In case you didn't realise - it'z the ` and ` characters around the whole
expression that allowz uz command execution....
[rootlocalhost lib]# echo $LAME
whoami
[rootlocalhost lib]# `echo $LAME`
root
[rootlocalhost lib]#
BTW - it workz fine in a shell script.....
I'm sure somone has already mentioned this....
Best Regardz
Brian Fury
"You gonna feel the power of my move, you ready?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]