95
Stealth Commanding
•Target: run shell commands
remotely – take over machine
•How:
–web-server executes commands
(path), or
–the application execute commands
(parameters)
•Log manifestation: hazardous
characters and shell commands in path or parameter values. e.g. ls, cmd.exe, sh, perl, dir, rm,
xterm, ...
•Variations:
–Shell interpreter in virtual root:
/cgi-bin/sh?-c%20/bin/ls
–Perl magic pipe (parameter value): file=|/bin/ls
–SSI (parameter value):
...<!--#exec “/bin/ls” -->
•False alarms: not
likely...