Hi, Let me start the story in this way. Please note on param 10 onwards to
param 19. why is my param 1 merge with param 10 - 19.
dumbass@Lucifer:~$ ./repo.sh a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
18 19 20
param 1: a
param 2: 1
param 3: 2
param 4: 3
param 5: 4
param 6: 5
param 7: 6
param 8: 7
param 9: 8
param 10: a0
param 11: a1
param 12: a2
param 13: a3
param 14: a4
param 15: a5
param 16: a6
param 17: a7
param 18: a8
param 19: a9
param 20: 10
*Execution Section. *the initial mail is successfully inserting the command
reboot into 18th param which trigger system reboot.
./repo.sh a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
*Script Section*
#!/bin/bash
function gateway {
echo "param 1: $1"
echo "param 2: $2"
echo "param 3: $3"
echo "param 4: $4"
echo "param 5: $5"
echo "param 6: $6"
echo "param 7: $7"
echo "param 8: $8"
echo "param 9: $9"
echo "param 10: $10"
echo "param 11: $11"
echo "param 12: $12"
echo "param 13: $13"
echo "param 14: $14"
echo "param 15: $15"
echo "param 16: $16"
echo "param 17: $17"
echo "param 18: $18"
echo "param 19: $19"
echo "param 20: $20"
}
gateway $*
On Tue, Dec 8, 2015 at 3:58 PM, Kelvin Tan Thiam Teck <kelvin...@gmail.com>
wrote:
> dumbass@Lucifer:~$ ./report.sh "echo ln -s /sbin/halt; mv halt ;reboot8 ;*
> reboot*" AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA
> AAA AAA AAA AAA
> Before Passing Thru Function: echo ln -s /sbin/halt; mv halt ;reboot8 ;
> reboot AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA
> AAA AAA AAA
> reboot: Need to be root
> 9th:
> 10th: echo0
> 11th: echo1
> 12th: echo2
> 13th: echo3
> 14th: echo4
> 15th: echo5
> 16th: echo6
> 17th: echo7
> ./report.sh: line 29: echo8: command not found
> 19th: echo9
> 20th: ln0
> dumbass@Lucifer:~$
>
>
> On Tue, Dec 8, 2015 at 3:27 PM, Pierre Gaston <pierre.gas...@gmail.com>
> wrote:
>
>> On Tue, Dec 8, 2015 at 9:16 AM, Kelvin Tan Thiam Teck <
>> kelvin...@gmail.com> wrote:
>>
>>> Hi,
>>> Please try my payload on that script, before telling me what $@ and $*
>>> does. and see if my param1 injection will cause your system to reboot on
>>> 18th param. it has nothing to do with $@ & $*, it's another bugs on bash
>>> which i found out, similar to shockbash, except it's harder to execute due
>>> to the requirement for it to happen.
>>>
>>>
>>> Regards
>>> KT
>>>
>>>
>> But it's code injection because your script is badly written, it's not a
>> bug in bash.
>> It's badly written because without quotes around "$@" the parameters are
>> split into words and then you tell bash to execute one of these words.
>> Bash does what it is supposed to do in your example.
>>
>> And yes, there are many many way to write a script that allows code
>> injections.
>>
>> Shellshock was entirely different in that it allowed to inject code no
>> matter how the script was written..
>>
>>
>
