On 2015-12-08 08:16, Kelvin Tan Thiam Teck wrote:
Hi,
Please try my payload on that script, before telling me what $@ and $*
does. and see if my param1 injection will cause your system to reboot
on 18th param. it has nothing to do with $@ & $*, it's another bugs on
bash which i found out, similar to shockbash, except it's harder to
execute due to the requirement for it to happen.
Regards
KT
Hi,
I tried your payload on that script, using Bash 4.2.37(1)-release.
It behaves exactly as expected: when calling the Gateway function, $*
expands the script's "$1" to separate words and "reboot" becomes the 9th
positional parameter to the function.
Then 'echo "9th: `$9`"' tries to execute 'reboot' (and fails since I'm
not root, in my case). Note all other "echo"s don't have those
backticks.
Nothing special happens on param 18 since $18 expands as expected to
"$1"8 = "echo8" inside the function (and that command does not exist, at
least on my system).
Please provide your output to that script (not run as root so as not to
make the system reboot) if it's different from what I describe above.
Regards,
Quentin
