PaulDotCom mailing list archives
Re: Command injection with no spaces
From: "Frisch, Daniel (JUS)" <Daniel.Frisch () ontario ca>
Date: Thu, 14 Jun 2012 11:03:16 -0400
I like Jim & Pat's suggestions. Combining them, if you input this: SP=$'\x20';cat$SP/etc/passwd|tail$SP-n+1|head$SP-n+1 do you get the first line of the password file? If so, you could loop from 1 to n to retrieve each line of the file, just replace {INDEX} below with the line you want to read: SP=$'\x20';cat$SP/etc/passwd|tail$SP-n+{INDEX}|head$SP-n+1 Dan ________________________________ From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Matt Summers Sent: June 14, 2012 8:25 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Command injection with no spaces I haven't tried tabs. One thing I forgot to mention is that the limitation on space is because the web server converts the space to %20 and this cant be interpreted by the shell. On Thu 14/06/12 14:14 , "Robin Wood" robin () digininja org sent: On 14 June 2012 10:18, Matt Summers <matt () fireantsecurity co uk <javascript:top.opencompose('matt () fireantsecurity co uk','','','')> > wrote: > Folks, > > We came across an interesting bug in a web system where we could execute any > system command (on AIX) but we could not enter any spaces in the command and > we would only get the last line of STDOUT. > > Has anyone else come across anything like this? > > The most we were able to do was cat the last line from system files and > determine if a directory existed. > > Cheers, Have you tried using tabs instead of spaces? Robin > Matt > > --- Part time worker full time salary --- > _______________________________________________ > Pauldotcom mailing list > Pauldotcom () mail pauldotcom com <javascript:top.opencompose('Pauldotcom () mail pauldotcom com','','','')> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom">http://m ail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com">http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Command injection with no spaces Matt Summers (Jun 14)
- Re: Command injection with no spaces Jim Halfpenny (Jun 14)
- Re: Command injection with no spaces Pat Moloney (Jun 14)
- Re: Command injection with no spaces Robin Wood (Jun 14)
- <Possible follow-ups>
- Re: Command injection with no spaces Matt Summers (Jun 14)
- Re: Command injection with no spaces Frisch, Daniel (JUS) (Jun 14)
- Re: Command injection with no spaces Joe Sylve (Jun 14)
- Re: Command injection with no spaces Joshua Wright (Jun 14)
- Re: Command injection with no spaces Champ Clark III (Jun 14)
- Re: Command injection with no spaces Tim Tomes (Jun 14)
- Re: Command injection with no spaces Matt Summers (Jun 14)
- Re: Command injection with no spaces Matt Summers (Jun 14)
- Re: Command injection with no spaces Matt Summers (Jun 15)