Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Is it possible to execute some command in qx argument

by vladimirfedorov (Novice)
on May 05, 2017 at 05:04 UTC ( #1189540=perlquestion: print w/replies, xml ) Need Help??

vladimirfedorov has asked for the wisdom of the Perl Monks concerning the following question:

I have the script on one of my systems that I can't modify at all, but need to fix its behavior. I can only pass arguments to the script. I am looking if it is possible to do some trickery with the arguments to amend script's behavior.
my $cmd = "mkdir "; my $arg = "temp"; #this arg I pass to the script qx($cmd "currentdate$arg");
I tried something like this:
my $cmd = "mkdir "; my $arg = "; mkdir otherdir"; qx($cmd "currentdate$arg");
But it gladly created a directory with the name "currentdate; mkdir otherdir". Any ideas?
Just a note - it is not a mkdir command in the target system, but I picked this generic command to make the code reproducible.
Thanks

Replies are listed 'Best First'.
Re: Is it possible to execute some command in qx argument
by shmem (Chancellor) on May 05, 2017 at 07:15 UTC
    I have the script on one of my systems that I can't modify at all, but need to fix its behavior. I can only pass arguments to the script. I am looking if it is possible to do some trickery with the arguments to amend script's behavior.

    You are seeking advice from us on how to write a bug exploit?

    perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'
      It sure looks like it but it is not. Our VMs use perl script to autoconfigure when deployed. Unfortunately there are a number of vm templates with incorrect script which is a huge pain to manually log in and fix. So I was looking for a smarter solution. If this approach is not appropriate to be published I can delete the thread.

        In the OP you write:

        I have the script on one of my systems that I can't modify at all

        Well, this reeks of privilege escalation. Why can't you modify a script? I can think of a number of reasons/scenarios, and a short description of why this can't be done would be appropriate, so any suspicion of inappropriate privilege escalation would have been dispersed at the beginning.

        So this is an XY problem. The script should be fixed in the first place, at its origin. A script which allows execution of arbitrary commands by this simple mechanism is a high security risk which should be fixed immediately. You should escalate this issue, not your privileges.

        Unfortunately there are a number of vm templates with incorrect script which is a huge pain to manually log in and fix.

        There are ways to automate this process. It would have been better to ask for ways of how to do that. If this script is part of a deployment environment shipped by some VM vendor, please escalate to that vendor prior to disclosure. There's no need to delete this thread (yet ;-)

        perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'

        If the problem is that you do not have tools in place to roll code to dozens, hundreds, or thousands of VM's, write that tool, now. If the problem is that you don't have tools in place to securely run commands, or better, call sanctioned methods against dozens, hundreds, or thousands of VM's, write that tool now. If the problem is that you have code that exists on dozens, hundreds, or thousands of VM's that allows for the type of exploit you are contmplating, fix that code now!


        Dave

Re: Is it possible to execute some command in qx argument
by choroba (Archbishop) on May 05, 2017 at 06:40 UTC
    This is a shell question, not a Perl question. Remove the double quotes, they prevent shell from splitting the arguments on whitespace:
    qx($cmd currentdate$arg);

    BTW, qx returns the output of the command it runs, if you're not interested in the output, use system instead.

    ($q=q:Sq=~/;[c](.)(.)/;chr(-||-|5+lengthSq)`"S|oS2"`map{chr |+ord }map{substrSq`S_+|`|}3E|-|`7**2-3:)=~y+S|`+$1,++print+eval$q,q,a,
      Well the point is that I cannot modify the script, right now, all I can do is to pass different arguments to the script. Is it possible to pass an argument that will allow splitting commands?
        Oh, I see, wasn't reading carefuly.
        my $arg = '"; mkdir "otherdir';
        ($q=q:Sq=~/;[c](.)(.)/;chr(-||-|5+lengthSq)`"S|oS2"`map{chr |+ord }map{substrSq`S_+|`|}3E|-|`7**2-3:)=~y+S|`+$1,++print+eval$q,q,a,
Re: Is it possible to execute some command in qx argument
by bart (Canon) on May 05, 2017 at 10:44 UTC
    If this is on Linux, as I think it is, there's trickery you can do by passing an argument containing substrings like `command args` or $(command args) (In the Linux shell, use single quotes on the command line to pass them). They will be executed by the shell called from the Perl script, in addition to the normal behaviour of the original call.
      Do you mean something like the code below? I tried that and it didn't work. Meaning it still produced one directory with the name "currentdate0 0 492mkdir otherdir1)"
      my $cmd = "mkdir "; $arg = "$(mkdir otherdir1)"; qx($cmd "currentdate$arg");
        $arg = "$(mkdir otherdir1)";
        Use single quotes in Perl, or the "$(" won't stick. And do something that produces output as well, to use in the name of the new directory.
        $arg = '$(mkdir otherdir1; date +%F_%H.%M.%S)';
        This also shows the need to cleanup (AKA "untaint") the user entered input data before just executing it. You could be executing a lot more than you bargained for.
Re: Is it possible to execute some command in qx argument
by Anonymous Monk on May 05, 2017 at 06:42 UTC
    $arg = q{"; othercmd; "};
      This seem to be working, thank you so much! I will test more and report back.
      Ok, it worked perfectly in command line but when testing end to end I found out that all quotes and apostrophes were replaced with &aquot; and & apos;. The arguments are being passed in the vm through an xml, so I guess that's why they were converted. Is a way to do the same without apostrophes or quotes?
Re: Is it possible to execute some command in qx argument
by marinersk (Priest) on May 05, 2017 at 16:16 UTC

    Oi. Injection exploit time bomb. :: wince ::

Re: Is it possible to execute some command in qx argument
by afoken (Canon) on May 06, 2017 at 15:04 UTC

    Try to avoid qx, ``, single argument system, single argument exec, and single argument pipe open. All of these share a single problem: Except for very simple cases (alphanumeric-only commands), perl invokes "the" default shell, and things will go wrong from there quite fast. Simply because there is no single definition for "the" default shell. Default shells differ wildly in behaviour with varying versions of the operating system, and even more across operating systems. See Re^2: how do i run a shell command without waiting for the output for more details and a collection of background links.

    Alexander

    --
    Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://1189540]
Front-paged by Corion
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (4)
As of 2022-05-27 18:39 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Do you prefer to work remotely?



    Results (97 votes). Check out past polls.

    Notices?