CODEWITHSUNDEEP
c#console-application
BlackVikingPro
BlackVikingPro

Reputation: 95

Passing Quotation Mark Character (") as C# Console Application Argument

I have a project to demonstrate a program similar to the "echo" command in the MS-DOS Command Line. Here is the code in C#:

using System;

namespace arguments
{
    class Program
    {
        static void Main(string[] args)
        {
            try
            {
                switch (args[0])
                {
                    case "/?":
                        string location = System.Reflection.Assembly.GetEntryAssembly().Location;
                        string name = System.IO.Path.GetFileName(location);
                        Console.WriteLine("Displays messages\nSyntax: {0} [message]", name);
                        Environment.Exit(0);
                        break;
                }
                if (args.Length >= 0)
                {
                    string x = "";
                    foreach (var item in args)
                    {
                        x += item.ToString() + " ";
                    }
                    Console.WriteLine(Convert.ToString(x)); // this should eliminate vulnerabilities.
                }
            }
            catch
            {
                string location = System.Reflection.Assembly.GetEntryAssembly().Location;
                string name = System.IO.Path.GetFileName(location);
                Console.WriteLine("Displays messages\nSyntax: {0} [message]", name);
            }
        }
    }
}

This does a pretty efficient job at doing what it's supposed to do. Then I got into trying to exploit it in any way I could.

In command prompt, I ran arguments.exe ", this is supposed to print out ". But that's not really what happened. I then tried the same with the echo command by running echo ", and it, like it's supposed to, printed out ". This is mind boggling because I wouldn't have even thought this would be a problem. I couldn't get it to pose a great threat, just confused me for a minute.

My question is, is there any way to pass the quotation mark (") as argument to this console application?

Here is a picture to demonstrate it a little bit better: http://prntscr.com/cm9yal

Upvotes: 2

Views: 1540

Answers (2)

alex knopp
alex knopp

Reputation: 90

void Main(string[] args)

args array here contains the arguments which have been passed to your application. Because arguments may have spaces they can be surrounded by quotes.

For this reason you won't get the string you have placed as argument. You will also loose any number of spaces between quoted parameters.

If you need the raw command line string, use:

string cmdline = System.Environment.CommandLine;

Upvotes: 2

Smudge202
Smudge202

Reputation: 4687

To be able to get the single quote, you'll need to bypass the default parsing performed by the CLR when populating the args array. You can do this by examining Environment.CommandLine, which in the case you describe above will return something along the lines of:

ConsoleApplication1.exe \"

Note, the argument I passed was simply " (not the escaped variant shown).

Upvotes: 2

Related Questions