On Tue, Dec 8, 2015 at 9:16 AM, Kelvin Tan Thiam Teck <kelvin...@gmail.com> wrote:
> Hi, > Please try my payload on that script, before telling me what $@ and $* > does. and see if my param1 injection will cause your system to reboot on > 18th param. it has nothing to do with $@ & $*, it's another bugs on bash > which i found out, similar to shockbash, except it's harder to execute due > to the requirement for it to happen. > > > Regards > KT > > But it's code injection because your script is badly written, it's not a bug in bash. It's badly written because without quotes around "$@" the parameters are split into words and then you tell bash to execute one of these words. Bash does what it is supposed to do in your example. And yes, there are many many way to write a script that allows code injections. Shellshock was entirely different in that it allowed to inject code no matter how the script was written..
