The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

However, the shell scripting environment in which Helloworld is inter-

preted supports the use of backticks to insert the output of a different com-

mand within an item of data. Hence, an attacker can inject arbitrary script

commands, and retrieve their output, as follows:

[manicsprout@localhost ~]$ ./helloworld.sh “`ls -la`”

total 28 drwxr-xr-x 2 manicsprout manicsprout 4096 Dec 4 00:22 . 

drwxr-xr-x 3 root root 4096 Dec 4 00:19 .. -rw-r--r-- 1 manicsprout 

manicsprout 24 Dec 4 00:19 .bash_logout -rw-r--r-- 1 manicsprout 

manicsprout 191 Dec 4 00:19 .bash_profile -rw-r--r-- 1 manicsprout 

manicsprout 124 Dec 4 00:19 .bashrc -rw------- 1 manicsprout manicsprout 

706 Dec 4 00:22 .viminfo -rw-rw-r-- 1 manicsprout manicsprout 8 Dec 4 

00:22 helloworld.sh

Although this example is somewhat trivial, if the vulnerable script were exe-

cuting as root, an attacker could leverage it to escalate privileges and execute

commands in the context of the root user. As you will see, this exact vulnera-

bility is still often found in web applications that interface with the operating

system command shell. 

HACK STEPS

Download 5,76 Mb.

Do'stlaringiz bilan baham: