On Tue, Dec 8, 2015 at 9:58 AM, Kelvin Tan Thiam Teck <kelvin...@gmail.com>
wrote:
> dumbass@Lucifer:~$ ./report.sh "echo ln -s /sbin/halt; mv halt ;reboot8 ;*
> reboot*" AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA
> AAA AAA AAA AAA
> Before Passing Thru Function: echo ln -s /sbin/halt; mv halt ;reboot8 ;
> reboot AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA
> AAA AAA AAA
> reboot: Need to be root
> 9th:
> 10th: echo0
> 11th: echo1
> 12th: echo2
> 13th: echo3
> 14th: echo4
> 15th: echo5
> 16th: echo6
> 17th: echo7
> ./report.sh: line 29: echo8: command not found
> 19th: echo9
> 20th: ln0
> dumbass@Lucifer:~$
>
I think you misunderstand me, I'm not denying that you inject some code.
What I'm saying is that the bug is in your code.
Here is a simpler way to reproduce:
cat inject
#!/bin/bash
function foo {
"$2"
}
foo $*
$ ./inject "blah date"
Tue Dec 8 10:08:45 EET 2015
You can see that "date" is executed, but it's a bug in the script, $* is
split in 2 as it is supposed to and foo receives 2 arguments.
you can fix the bug using "$@"
$ vi inject
$ cat inject
#!/bin/bash
function foo {
"$2"
}
foo "$@"
$ ./inject "blah date"
./inject: line 3: : command not found
Now the arguments are not split again and foo receives only one argument,
hence the error.
As I said, there are many pitfalls in shellscript that's why allowing
running a script with more privilege than the user have is dangerous.
