Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
system("/usr/bin/sendmail -t test@test.com ; cat /etc/password);<br />
and the consequence would be the display <strong>of</strong> the passwd file.<br />
The URL to be used would therefore be <strong>of</strong> the type:<br />
http://www.xxx.zzz/cgi-bin/test.cgi?variable1=test@test.com;cat%20/etc/passwd<br />
We can also use the example above to modify the value <strong>of</strong> the variable<br />
<br />
par<br />
<br />
Naturally, there can be filters whose aim it is to prevent using this character, but they can be easily<br />
bypassed, by using the && character, whose role it is to have the next command executed if the one<br />
that precedes it has been executed without any problem, or by surrounding the character with two |<br />
characters, so that ; will become |;| , which in some cases will prevent its filtering by CGI.<br />
File opening functions such as fopen() or open() can also be serious security threats. On UNIX, it is<br />
possible to pipe (that is, to send to be processed) the result <strong>of</strong> a function to another function: for this<br />
the | character is used between functions. As it is possible to open a precise file in PERL with the open<br />
() function, it is <strong>of</strong> course impossible to read it, however it is possible to pipe its result to a function that<br />
will then be executed in an independent process. Let us take the example <strong>of</strong> the infosrch.cgi, which is<br />
vulnerable to this method: the fname variable, which is used to open a file, can receive as an<br />
argument any function preceded with a pipe. So we will attempt to read the contents <strong>of</strong> our /<br />
etc/passwd file with the help <strong>of</strong> the /bin/cat command:<br />
The <strong>Hack</strong>ademy DMP -119/209- SYSDREAM