开发者

command injection in C programming

问答 作者:

I was implementing an echo command using the system() function. The argument for the echo command comes from a command line argument. But when used ';' in the argument it is showing the directory listing. What should i do to avoid it? Is it because of command injection in my program?

update: code added from comment

#include<string.h> 
#include<stdio.h> 
#include<stdlib.h>

int main(int argc, char **argv) { 
    char cmd[50] = "e开发者_Go百科cho "; 
    strcat(cmd,argv[1]); 
    system(cmd); 
}

I could compile the code but while executing if i give the command line argument as eg: './a.out hello;ls ' then directory listing is happening.

Why are you trying to use a shell access (which is exactly what System() does), and than attempt to restrict it?

If you need for some reason to use 'echo', please build your own execve() parameters, and launch /bin/echo directly.. this way you can restrict the damage only to the tasks 'echo' can do.

When attempting to run your program with the command ./a.out hello;ls, you are actually providing the shell with two separate commands that it executes in sequence. First the shell runs a.out with the command line parameter "hello" in argv[1], which prints it out using echo. Then your program exits, and the shell runs the next command, ls, and displays the directory listing.

If you want to pass that string to the program as a command line parameter, you need to escape the special shell character ;, so the shell does not parse it before giving it to your program. To escape a character, precede it with a \.

Try running the command with ./a.out hello\;ls, and then using printf instead of echo.

[can't respond to other answers yet, so reposting the question] "Is possible to get the argument with ';', without using '\' in the command line argument. Is possible for me to include a '\' from my program after getting argv?"

No, it is not possible. The interpretation of ";" is done by the shell before getting to your program, so unless you escape at the call, your program will never be aware of the ";". i.e. PROG1 parms ; PROG2

will cause the shell (which is interpreting what you type) to do the following:

start PROG1 and pass it parms.

once PROG1 is done, start PROG2

There are a number of special characters which the shell will take over by default and your program will never see: * for wildcards, | for pipes, & for parallel execution, etc... None of these will be seen by the program being run, they just tell the shell to do special things. Alternatively to using the "\", you can enclose your parameter in single or double quotes (which are different, but for your example will both work). i.e.: ./a.out "hello;ls" ./a.out 'hello;ls'

Note that these will work for the printf option, if you call "system" you are in effect telling C to start a shell to run what you are passing in, so the input will once again be subject to shell interpretation.

system() is very difficult to use in a secure manner. It's much easier to just use one of the exec* functions.

继续阅读:c

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9