Reputation: 3510
Is it possible to perform shell injection through a read and/or to break out of quotes?
Consider this example of (attempted) shell injection:
test1.sh:
#!/bin/sh
read FOO
echo ${FOO}
z.dat:
foo && sleep 1 && echo 'exploited'
Then run:
cat z.dat | ./test.sh
On my machine (Ubuntu w/bash) the payload is always (correctly) treated as a single string and never executes the malicious sleep and echo commands.
Question 1: Is it possible to modify z.dat so that test.sh is vulnerable to injection? In particular are there specific shells that might be vulnerable?
Question 2: If so, is changing the test script to quote the variable (shown below) an absolute defense?
test2.sh:
#!/bin/sh
read FOO
echo "${FOO}"
Thanks!
Upvotes: 3
Views: 6031
Answers (1)
Reputation: 4012
Not according to: https://developer.apple.com/library/mac/documentation/OpenSource/Conceptual/ShellScripting/ShellScriptSecurity/ShellScriptSecurity.html
Search for 'Backwards Compatibility Example'
Upvotes: 2
Related Questions
- Can I protect against SQL injection by escaping single-quote and surrounding user input with single-quotes?
- How to read mutliline input from stdin into variable and how to print one out in shell(sh,bash)?
- Is it possible to break out of a restricted (custom) shell?
- is it possible to perform a SQL Injection through a XSS vulnerability?
- Is command injection possible within shell scripts without the use of eval?
- Possible: json_encode($data) and shell injection?
- Possible race condition with piped output from multiple tee recipients arriving out-of-sequence on a named pipe in a BASH script
- Shell script printing out "read: missing arguments"
- Bash shell script to flip through directories and perform a few actions