slash-d has asked for the wisdom of the Perl Monks concerning the following question:

I'm trying to find a vulnerability in a search CGI for a customer. Basically, the code inputs form data into a reg exp without checking for "bad" characters. Without knowing the code, is there anyway to run commands on this webserver (NT) through this reg exp?

Here's an example; when I type in: (?{eval"dir";}) The webserver returns the following:

CGI Error
The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are:

/(?{eval"dir";})/: Eval-group not allowed at runtime, use re 'eval' at D:\Inetpub\cgibin\search.pl line 61.

But there is one gotcha... any time I enter a space, the expression is ended. For example, if the string above would have contained eval "dir"; instead of eval"dir"; then the output would have been:
/(?{eval/: Sequence (?{...}) not terminated or not {}-balanced

Any ideas?

Replies are listed 'Best First'.
Re: regular expression vulnerable?
by Corion (Patriarch) on Dec 27, 2000 at 23:05 UTC

    If this is your customer, he will have no problem with showing you the actual code. Simply post the regular expression here, and we will find out ways to break it.

    If your customer is willing to pay good money for a security analysis, he will also understand that he can give you the code to speed up the analysis process.

[reply]
      This is a penetration test. My customer is paying me good money _not_ to see this code 8)
[reply]
        And unless you review the code for faults, all you've really tested is your ability to crack the system.
[reply]
Re: regular expression vulnerable?
by extremely (Priest) on Dec 28, 2000 at 10:20 UTC
    I doubt many people on here are that willing to help you break into a place. No matter the justification you provide, it just smells bad. I'd rather this not turn into (r@kz (3n7r@1 rather than perlmonks.

    --
    $you = new YOU;
    honk() if $you->love(perl)

[reply]

Back to Seekers of Perl Wisdom