0

I'm doing a small exercise with command injections, and I have this command that I can make injections into:

grep -i $key dictionary.txt

where $key is the part I can inject something into. Now, I know the intended solution here is to use ; to terminate one statement, and then construct a new one. But I wanted to see if I could use the grep in my attempt.

What I want to do is to run ls, in order to see the files in a specific directory. I want to use the two in conjunction like so:

ls | grep -i "."

But, since I'm doing an injection, I need the grep -i to be first. So is there anything I can do? perhaps a pipe operator that works in the "reverse" order?

grep -i "." <| ls

EDIT

There seems to be a bit of confusion as to what I am doing here, and what I am trying to achieve.

I am doing some introductory exercises on pen-testing.

My current exercise is to do a injection on a website, that has this string in it:

grep -i $key dictionary.txt

and then uses that string to run a command. I need to inject something into this string, which will be a command injection. I do not have control over the string as it is already written on the server, and thus I cannot put anything in to the left of grep -i.

I have a solution already, where I inject the following:

; ls /etc/natas_webpass #

Which then (when I inject it) creates this command which runs on the server

grep -i ; ls /etc/natas_webpass # dictionary.txt

Buy I would like to try to solve this exercise not using the semicolon, but perhaps actually use grep that is already there.

EDIT 2

A suggestion has been made that I am simply looking for <(ls). I tried testing this by running:

$ grep -i <(ls)

This does not work, though; nothing happens.

G-Man Says 'Reinstate Monica'
  • 22,130
  • 27
  • 68
  • 117
NotQuiteSo1337
  • 23
  • 1
  • 7
  • I don't follow the relationship between you wanting to inject what I assume is nasty data, and the order of the commands. And anyway, correctly double-quoting the variable `"$key"` would avoid any injection attempt. Write proper code and reduce the attack surface – roaima Sep 07 '21 at 17:18
  • 1
    The correct syntax for your second example is `<(ls)` – jordanm Sep 07 '21 at 17:20
  • This is just an exercise, in order to play with injections, and gettting better at writing bash commands, therefore the code is purposely badly written. SInce the code is ordered the way it is, I can only do an injection at place of `%Key` spot, which is why the final command will have to start with `grep -i` – NotQuiteSo1337 Sep 07 '21 at 17:20
  • are you, perhaps, thinking that `grep -i "."` will show you only filenames with a literal `.` in them? That won't work. In a regular expression, `.` means match **any character**. If you want it to not have that meaning, you need to "escape" it with a backslash. e.g. `ls | grep '\.'`. BTW, before you go too far down this path, see [Why *not* parse `ls` (and what to do instead)?](https://unix.stackexchange.com/questions/128985/why-not-parse-ls-and-what-to-do-instead). – cas Sep 07 '21 at 17:22
  • @cas yes the idea is that `"."` will match all characters in the output from `ls` I am currently looking at, and therefore print all of it out for me to see – NotQuiteSo1337 Sep 07 '21 at 17:24
  • @jordanm this does not seem to work – NotQuiteSo1337 Sep 07 '21 at 17:26
  • It works with `>(ls)` instead of `<(ls)`. But you were supposed to solve the exercise by yourself, what's the fun in asking people around? –  Sep 07 '21 at 17:59
  • `grep -i <(ls)` does not work because grep requires a string to match. You have your (optional) flag(s) (`-i`), a source of strings (`ls`), although you shouldn't parse the output of `ls`, but you are missing the string to search for. `grep -i . <(ls)` is a valid command, as `.` is the "string" to search for. I highly recommend you read an introductory course to Bash, as the basics seem to be missing. – Thegs Sep 07 '21 at 18:01
  • Whatever you do, you'll just end up telling the shell to run `ls` in addition to `grep`. You're not exactly "using" `grep` itself. In addition to just piling the second command there with a semicolon (or newline, or `&`, or `&&` / `||`), you could use a command substitution `$(...)` or if the shell supports it, the process substitution `<(...)` that was already mentioned. – ilkkachu Sep 07 '21 at 18:09
  • As a punishment for cheating, you now have to solve the problem where the `$key` is not pasted in the code, but set via the environment ;-) –  Sep 07 '21 at 18:11
  • I ended up making it work with in my own shell `<( )`, but it doesnt work when I inject it. Perhaps the target shell doesnt support it – NotQuiteSo1337 Sep 07 '21 at 18:26

1 Answers1

1

You’ve almost got it.  Inject

. <(ls)

or

^ <(ls)

for $key.  You need to search for something in the output from ls.  Dot (.) will match any character, so it will match any non-blank line.  Caret (^) matches the beginning of any line, and therefore will match any line, even blank ones.  (You could also use dollar sign.)

G-Man Says 'Reinstate Monica'
  • 22,130
  • 27
  • 68
  • 117