Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is this batch file injection?

Tags:

security

command-line

batch-file

code-injection

C:\>batinjection OFF ^& DEL c.c

batinjection.bat has contents of ECHO %*

I've heard of SQL injection, though i've never actually done it, but is this injection? Are there different types of injection and this is one of them?

Or is there another technical term for this? or a more specific term?

Note- a prior edit had C:\>batinjection OFF & DEL c.c(i.e. without ^%) and ECHO %1(i.e. without %*) which wasn't quite right. I have corrected it. It doesn't affect the answers.

like image 787
barlop Avatar asked Nov 24 '11 08:11

barlop

2 Answers

Your example presents three interesting issues that are easier to understand when separated.

First, Windows allows multiple statements to be executed on one line by separating with "&". This could potentially be used in an injection attack.

Second, ECHO parses and interprets messages passed to it. If the message is "OFF" or "/?" or even blank, then ECHO will provide a different expected behavior than just copying the message to stdout.

Third, you know that it's possible to inject code into a number of scriptable languages, including batch files, and want to explore ways to recognize it so you can better defend against it in your code.

It would be easier to recognize the order in which things are happening in your script if you add an echo statement before and after the one you're trying to inject. Call it foo.bat.

@echo off
echo before
echo %1
echo after

Now, you can more easily tell whether your injection attempt executed at the command line (not injection) or was executed as a result of parameter expansion that broke out of the echo statement and executed a new statement (injection).

foo dir

Results in:

before
dir
after

Pretty normal so far. Try a parameter that echo interprets.

foo /?

Results in:

before
Displays messages, or turns command-echoing on or off.

  ECHO [ON | OFF]
  ECHO [message]

Type ECHO without parameters to display the current echo setting.
after

Hmm. Help for the echo command. It's probably not the desired use of echo in that batch file, but it's not injection. The parameters were not used to "escape out" of the limits of either the echo statement or the syntax of the batch file.

foo dog & dir

Results in:

before
dog
after
[A spill of my current directory]

Okay, the dir happened outside of the script. Not injection.

foo ^&dir/w

Results in:

before
ECHO is off.
[A spill of my current directory in wide format]
after

Now, we've gotten somewhere. The dir is not a function of ECHO, and is running between the before and after statements. Let's try something more dramatic but still mostly harmless.

foo ^&dir\/s

Yikes! You can pass an arbitrary command that can potentially impact your system's performance all inside an innocuous-looking "echo %1".

like image 195
phatfingers Avatar answered Nov 09 '22 18:11

phatfingers

Yes, it's a type of injection, and it's one of the big problems with batch files, that mostly it isn't a purposefully attac, most of the time you simple get trouble with some characters or word like OFF.

Therefore you should use technics to avoid this problems/vulnerabilitys.

In your case you could change your batch file to

set "param1=%*"
setlocal EnableDelayedExpansion
echo(!param1!

I use echo( here instead of echo. or something else, as it is the only known secure echo for all appended contents.

I use the delayed expansion ! instead of percent expansion, as delayed expansion is always safe against any special characters.

To use the delayed expansion you need to transfer the parameter into a variable and a good way is to use quotes around the set command, it avoid many problems with special characters (but not all).

But to build an absolutly secure way to access batch parameters, the way is quite harder.
Try to make this safe is tricky
myBatch.bat ^&"&"

You could read SO: How to receive even the strangest command line parameters?

The main idea is to use the output of a REM statement while ECHO ON.
This is safe in the way, that you can't inject code (or better: only with really advanced knowledge), but the original content can be changed, if your content is something like.

myBatch.bat myContent^&"&"%a

Will be changed to myContent&"&"4

like image 34
jeb Avatar answered Nov 09 '22 20:11

jeb
Sign in to Comment

Related questions

Security considerations using "new Function(...)" (during rendertime, expression coming from my Javascript sources)
How do you block specific IP adress in Ruby on Rails
Is it safe use an iframe for a payment?
How to secure php scripts?
How to clear sensitive memory in JavaScript?
Getting cryptographically secure random numbers in C++ on iOS
Why isn't my .net-calculated MD5 hash equivalent to the hash calculated on a web site?
Subversion Repository on Linux Dev
Where in the call stack should role checks be done?
php frameworks and security
Any Way to Read JAAS Configuration File from Memory
Is it possible to get RSA private key knowing public key and set of "original data=>encrypted data" entries?
C++: How to escape user input for safe system calls?
Impersonation the current user using WindowsImpersonationContext to access network drive
Securing parts of an HTTP request?
is it safe using dynamic SQL with parameters? If not, what security issues might it be exposed to?
Guaranteeing request came from local server
List of characters to be restricted for protection against XSS and SQL Injections?
Protecting from "registration bots"? [closed]
Alternatives to NOP for shellcode nop sleds

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!