The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Download 5,76 Mb.

1 ... 521 522 523 524 525 526 527 528 ... 875

Bog'liq
3794 1008 4334

Example 1: Injecting via Perl

Consider the following Perl CGI code, which is part of a web application for

server administration. This function allows administrators to specify a direc-

tory on the server, and view a summary of its disk usage:

#!/usr/bin/perl

use strict;

300

Chapter 9

■

Injecting Code

70779c09.qxd:WileyRed 9/14/07 3:13 PM Page 300

use CGI qw(:standard escapeHTML);

print header, start_html(“”);

print “
”;

my $command = “du -h --exclude php* /var/www/html”;

$command= $command.param(“dir”);

$command=`$command`;

print “$command\n”;

print end_html;

When used as intended, this script simply appends the value of the user-

supplied

dir

parameter to the end of a preset command, executes the com-

mand, and displays the results, as shown in Figure 9-3.

Figure 9-3: A simple application function for listing a directory’s contents

This functionality can be exploited in various ways, by supplying crafted

input containing shell metacharacters. These characters have a special mean-

ing to the interpreter that processes the command and can be used to interfere

with the command that the developer intended to execute. For example, the

pipe character

is used to redirect the output from one process into the input

of another, enabling multiple commands to be chained together. An attacker

can leverage this behavior to inject a second command and retrieve its output,

as shown in Figure 9-4.

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 521 522 523 524 525 526 527 528 ... 875