Is command injection possible within shell scripts without the use of eval?
Yes, it is possible. But it is not so simple as you mention.
See below some example.
It will not works:
$ read -p "Type some text:" var1
Type some text:Example;hostname
$ echo $var1
Example;hostname
$ $var1
Example;hostname: command not found
But if you use like this, yes, it will work:
$ read -p "Type some text:" var1
Type some text:hostname
$ echo $var1
hostname
$ $var1
SSBLZMVM1
Is it possible to perform shell injection through a read and/or to break out of quotes?
Not according to: https://developer.apple.com/library/mac/documentation/OpenSource/Conceptual/ShellScripting/ShellScriptSecurity/ShellScriptSecurity.html
Search for 'Backwards Compatibility Example'
How to shell command inject a file
Select option 2, and enter the following note:
';cat flag.txt;echo '
This works because it doesn't escape the note input, so when you substitute the note you get
/bin/echo '';cat flag.txt;echo '' >> mynotes.txt
This will be executed by the SUID shell. It will output flag.txt
to the terminal, and write a blank line into mynotes.txt
.
prevent script injection when spawning command line with input arguments from external source
The correct and safe way to pass the values of variables VAR1
and VAR2
as arguments to /usr/bin/tool
is:
/usr/bin/tool -- "$VAR1" "$VAR2"
- The quotes prevent any special treatment of separator or pattern matching characters in the strings.
- The
--
should prevent the variable values being treated as options if they begin with-
characters. You might have to do something else iftool
is badly written and doesn't accept--
to terminate command line options. - See Quotes - Greg's Wiki for excellent information about quoting in shell programming.
- Shellcheck can detect many cases where quotes are missing. It's available as either an online tool or an installable program. Always use it if you want to eliminate many common bugs from your shell code.
- The curly braces in the line of code in the question are completely redundant, as they usually are. Some people mistakenly think that they act as quotes. To understand their use, see When do we need curly braces around shell variables?.
- I'm guessing that the
/bin/sh
in the question was intended to be a#! /bin/sh
shebang. Since the question was taggedbash
, note that#! /bin/sh
should not be used with code that includes Bashisms./bin/sh
may not be Bash, and even if it is Bash it behaves differently when invoked as/bin/sh
rather than/bin/bash
. - Note that even if you forget the quotes the line of code in the question will not cause commands (like
rm -rf /
) embedded in the variable values to be run at that point. The danger is that badly-written code that uses the variables will create and run commands that include the variable values in unsafe ways. See should I avoid bash -c, sh -c, and other shells' equivalents in my shell scripts? for an explanation of (only) some of the dangers.
Are these awk commands vulnerable to code injection?
Sure, both are vulnerable, the first a bit less so.
This breaks your second line:
HWLINK="/{}BEGIN{print \"Your mother was a hamster and your father smelt of elderberries\"}/"
The only reason it doesn't break your first line is, in order to be able to be injected into the first line it must not contain spaces.
HWLINK="/{}BEGIN{print\"Your_mother_was_a_hamster_and_your_father_smelt_of_elderberries\"}/"
I see you already got the correct syntax to use :)
Related Topics
How to Disable Editing My History in Bash
Count Files and Directories Using Shell Script
How to Run Elasticsearch 2.1.1 as Root User in Linux MAChine
Cannot Sudo Su Anymore, "No Tty Present and No Askpass Program Specified"
How to Change the Soname of a Binary Directly
Retrieve Plain Text Script from Compiled Bash Script
Ldd Doesn't Work on Dynamically Linked Binary
Need a Simple Linux C++ Ide (Android Ndk)
Configure and Build Opencv to Custom Ffmpeg Install
Installing Mod_Ssl Amazon Linux
How to Force a Firefox Page Refresh from Linux Console
Making Gcc Prefer Static Libs to Shared Objects When Linking
How to Tail -F the Latest Log File with a Given Pattern
Detect Underlying Platform/Flavour in Cmake
How to Implement a Practical Fiber Scheduler
What Is File Hole and How Can It Be Used
Find Directories Having Size Greater Than X Mb
Bluetooth Low Energy in C - Using Bluez to Create a Gatt Server