What else should you know about argument injection at OS commanding vulnerabilities

The first research related to this technique, as I believe dated by March 2013. It described the way how to deal with the escapeshellarg() and other scaping functions used to sanitize data at shell calls like system(), passthru(), exec() and others. This technique became very popular later, especially after a lot of sendmail exploits used it.

In my last (and the first, BTW) Twitch stream I tried to find a similar issue at Symfony (as the part of Laravel) but found only DoS way to exploit it for 30 minutes of research. During that video stream, I said that it’s possible to inject only one command flag inside an attribute, but I was wrong.

In fact, we can’t inject more than 1 argument to shell command while exploiting smth like this:

<?php
$data = escapeshellarg($_GET['d']);
system("file -bs --mime $data");

But this is one argument only for the shell, not for “file” or other program called in this way. Just because almost all the utilities and programs from “dd” to “bash” itself will parse ARGV by themselves to find flags there. This parsing is different and completely related to a particular program, so, we can expect more bug there, including OS commanding again.

I.e. when you call “ls” as “ls -la” in fact, you pass “-la” as ARGV[1] for “ls” and then “ls” itself will find “-l” and “-a” there separately. This feature allows exploiting argument injections to inject more than only 1 flag as I mentioned during the stream.

For example, the following command (where the second argument was ):

$ file -b '-zftest'

will be interpreted by “file” utility exactly the same as this one:

$ file -b -z -f test

We can understand this by the following outputs, which are different:

$ file -b '-zftest'
POSIX tar archive (GNU) (bzip2 compressed data, block size = 900k)
$ file -b '-ftest'
bzip2 compressed data, block size = 900k

Using this knowledge it’s possible to exploit more issues, which is as I think you should love. Enjoy!