Welcome to level 10. “For security reasons, we now filter on certain characters” – okay they’ve gotten wise to our little game. But let’s check how good their countermeasures are.
Well, they don’t allow us to use the semicolon or ampersand any longer. Well that’s not a problem, I know other ways to manhandle that command into doing what I want.
How about using the hash to make the rest of the line after our injected command into a comment? Yep, it returns something that looks like the password we wanted. On to the next level!
Escaping user-provided input is fraught with peril. You have to cover all the entry points, while attackers have to find only one. Instead of blacklisting, consider whitelisting. Better yet, simply avoid being injectable.
Posted: Jun 27, 2013