![]() This injected command runs as the root user – the all-powerful Liux/Unix system administrator. It turns out that basic CGI command injection can be directly and trivially exploited on buggy Netgear routers, for example like this: whoamiįaced with this URL, it seems that the CGI system runs an empty command (the zero characters after the final slash and before the semicolon), followed by a command consisting of whatever you put after the semicolon. ![]() That’s called command injection and exploiting it gives what’s called remote code execution (RCE). If rogue semicolons were permitted and passed along in the command line to bash, malicious visitors to the website would be able to send a CGI instruction that also included commands of their own choice, and the server would blindly run those commands. In other words, web servers have to be super-careful about rogue semicolons in CGI script arguments, as well as numerous other special characters such as $, \ and |. In the first command, the entire line after echo becomes the command arguments to the echo command, so the entire text is echoed (printed out).īut in the second, the line is split into two commands at the semicolon, so you end up running echo hello, which prints out hello, and then running whoami, which prints your username. If you have a Linux/Unix command prompt handy, you can see how the semicolon affects things: $ echo hello, whoami Similarly, if you send bash a command that has a semicolon in the middle, the semicolon is treated as a command separator, not as a command argument, so you can put two or more commands on one line. That means you have to be really careful not to let > characters get into a CGI command, or else a crook could misuse the system to delete, replace or modify vital system data such as configuration files or password databases. if you use > you can append to existing files rather than overwriting them. Letting bash take care of running external programs is much more powerful and convenient than taking care of running them yourself, but comes with numerous additional risks that you need to watch out for.įor example, if you add the text >filename to a bash command, it will write the result of the command into a file called filename instead of outputting it normally. Often, CGI scripts are launched indirectly by running a command shell such as bash and then telling bash to run the procs program. In many CGI implementations, however, the web server doesn’t run your procs program directly. …then somewhere you will have a program or script called procs that calls the system function ps, chops up the output as desired, and writes it out so the web server can consume it. So, if your web server allows CGI URLs like this, for example to list running processes: ![]() The latter approach is much more flexible, and helps to keep the web server’s code simpler and therefore hopefully more secure.ĬGI then collects the output of the command and sends it back to the web server.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |