Hi,
Please try my payload on that script, before telling me what $@ and $*
does. and see if my param1 injection will cause your system to reboot on
18th param. it has nothing to do with $@ & $*, it's another bugs on bash
which i found out, similar to shockbash, except it's harder to execute due
to the requirement for it to happen.
Regards
KT
On Tue, Dec 8, 2015 at 2:30 PM, Quentin <quen...@minster.io> wrote:
> On 2015-12-08 02:45, Kelvin Tan Thiam Teck wrote:
>
>> hi, there's a bug on function that allow attacker to inject
>> parameters.
>> ./report.sh "echo ln -s /sbin/halt; mv halt ;reboot8 ; reboot" AAA AAA
>> AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA
>> AAA
>>
>> #!/bin/bash
>> function library {
>> echo ${@}
>> }
>> function Gateway {
>> unset param
>> param[7]="$8"
>> piaram[8]="$9"
>> param[9]="$10"
>> param[10]="$11"
>> param[11]="$12"
>> param[12]="$13"
>> param[13]="$14"
>> param[14]="$15"
>> param[15]="$16"
>> param[16]="$17"
>> param[17]="$18"
>> param[18]="$19"
>> #echo "After Passing Thru Function: ${param[@]}"
>> echo "9th: `$9`"
>> echo "10th: $10"
>> echo "11th: $11"
>> echo "12th: $12"
>> echo "13th: $13"
>> echo "14th: $14"
>> echo "15th: $15"
>> echo "16th: $16"
>> echo "17th: $17"
>> $18
>> echo "19th: $19"
>> echo "20th: $20"
>> }
>> echo "Before Passing Thru Function: $*"
>> Gateway $*
>>
>
> Hi,
>
> I think you should read the "Special Parameters" and "Parameter Expansion"
> sections of the Bash man page.
> Specifically:
> * $* does not expand parameters as separate words (as "$@" does)
> * positional parameters with more than 1 digit require braces: "${11}"
>
> Cheers,
> Quentin
>
