Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exec shell commands as given #117

Closed
az0r3 opened this issue Nov 15, 2019 · 1 comment
Closed

Exec shell commands as given #117

az0r3 opened this issue Nov 15, 2019 · 1 comment
Labels
bug

Comments

@az0r3
Copy link

az0r3 commented Nov 15, 2019
edited
Loading

Hi. Straight to the point:

The what

When executing any command with arguments, which contain spaces and are enclosed in ' or ", quotes are stripped and arguments are therefore fucked up.
Example:

$ curl -v -H "Content-Type: application/json" -s http://127.0.0.1
* Hostname was NOT found in DNS cache
* Could not resolve host: application
* Closing connection 0
* Rebuilt URL to: http://127.0.0.1/
* Hostname was NOT found in DNS cache
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#1)
> GET / HTTP/1.1
> User-Agent: curl/7.38.0
> Host: 127.0.0.1
> Accept: */*

Note: Could not resolve host: application and no Content-Type: application/json in actual connection. Why?

The why

Log is a nice thing to have. There is a
[D][php] PAYLOAD chdir('[redacted]');@error_reporting(0);@system('curl -v -H Content-Type: application/json -s http://127.0.0.1 2>&1');
there. Wtf?

The wtf

It turns out you correctly parse the shell comand (module.py@96):
command = shlex.split(line)
And reconstruct it, joining args as-is, without any quotes (sh.py@120):
self.args['command'] = ' '.join(self.args['command']).replace("'", "\\'")
(probably you wanna also escape the \ here)
Wtf? Why is there a need to split the command and then join it back?
(If the answer is to validate shell command, it fails to do that, verify by echo "test )

The proposal

This is frustrating and clearly not a feature, but a bug. Can't be fixed by joining args with ' or " because of difference in env vars expansion between quotes, the shell must execute what was planned, exactly.
Variant 1. One of mainainers fixes this by running original command, not reparsed.
Variant 2. Someone explains to me the structure of your code (from terminal.py@74 to php.py@108) and I'll be able to make a pull request. Without docs is takes time to understand some lines, for example:
why is there a '--' at module.py@217-219:
modules.loaded['shell_sh'].run_cmdline('%s -- %s' % (cmd, args))
@epinna epinna added the bug label Nov 15, 2019
@epinna
Copy link
Owner

epinna commented Dec 26, 2019

Ignore my previous answer, the fix was related to the management of the aliases command (such as curl). You'll find the fix in the next release 4.0.0.

@epinna epinna closed this as completed Dec 26, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@epinna @az0r3