Menu
I was wondering, nowadays with the most recent versions of sh, bash, ksh etc. is it possible to get command injection by executing this (very simple) script?
#!/bin/sh
echo "What is the name of the program you are looking for?"
read program
locate $program
Despite of the fact that one can already execute code if they have a shell of course, I am just wondering if a variable can contain malicious code like for example in PHP:
parameter=parameter;ls
Also shellshock (env variables) can be ignored in this question.
892
Yes, it is possible. But it is not so simple as you mention. See below some example.
It will not works:
$ read -p "Type some text:" var1
Type some text:Example;hostname
$ echo $var1
Example;hostname
$ $var1
Example;hostname: command not found
But if you use like this, yes, it will work:
$ read -p "Type some text:" var1
Type some text:hostname
$ echo $var1
hostname
$ $var1
SSBLZMVM1
If written like that, you never know if there isn't a shell implementation out there which could be tricked like that. You can be on the safe side however by putting the argument of locate in quotation marks. Then the expanded parameter will be treated as a single word:
#!/bin/sh
echo "What is the name of the program you are looking for?"
read program
locate "${program}"
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
