dumbass@Lucifer:~$ ./report.sh "echo ln -s /sbin/halt; mv halt ;reboot8 ;* reboot*" AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA Before Passing Thru Function: echo ln -s /sbin/halt; mv halt ;reboot8 ; reboot AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA reboot: Need to be root 9th: 10th: echo0 11th: echo1 12th: echo2 13th: echo3 14th: echo4 15th: echo5 16th: echo6 17th: echo7 ./report.sh: line 29: echo8: command not found 19th: echo9 20th: ln0 dumbass@Lucifer:~$
On Tue, Dec 8, 2015 at 3:27 PM, Pierre Gaston <pierre.gas...@gmail.com> wrote: > On Tue, Dec 8, 2015 at 9:16 AM, Kelvin Tan Thiam Teck <kelvin...@gmail.com > > wrote: > >> Hi, >> Please try my payload on that script, before telling me what $@ and $* >> does. and see if my param1 injection will cause your system to reboot on >> 18th param. it has nothing to do with $@ & $*, it's another bugs on bash >> which i found out, similar to shockbash, except it's harder to execute due >> to the requirement for it to happen. >> >> >> Regards >> KT >> >> > But it's code injection because your script is badly written, it's not a > bug in bash. > It's badly written because without quotes around "$@" the parameters are > split into words and then you tell bash to execute one of these words. > Bash does what it is supposed to do in your example. > > And yes, there are many many way to write a script that allows code > injections. > > Shellshock was entirely different in that it allowed to inject code no > matter how the script was written.. > >
