Exploiting quotes() and open() functions perl

21 August 2019
by th3-3inst3in

Exploiting quotes() and open() functions perl


<--Back

Exploiting perl open() funtion

Reviewing scripts and finding flaws in them is an essential skill to have. First we will look at the open() function.

In perl open() function is used to handle files, it is most commonly used to read a file and diplay its output. Lets write a simple perl CLI script and read a file.

Create a file called test.txt.

Following is a simple code of how to use open() in perl copy the code below in to a file called test.pl.

#!/usr/bin/perl
use warnings;
use strict;
 
my $filename = $ARGV[0];
 
open(FH, '<', $filename) or die $!;
 
while(<FH>){
   print $_;
}
 
close(FH);

Turns out that the open() function is vulnerable to Command Execution and can be exploited just by using a simple single pipeline character in the following manner.

Open Rce

If you want to try this out on a live site then try out the following CTF

Natas29 writeup

http://natas29.natas.labs.overthewire.org/

Once you login to the ctf with the credentials gained from previous challenge i.e natas28 you will see that perl is being used to read local files and we can enter the filename in the GET parameter ?file=.

id command

Now the flag is actually in the /etc/natas_webpass directory but here is a twist there is a check in place that if we enter the keyword ‘natas’ in the url it will block the command from being run.

We can simply bypass that with an obfuscated shell command like the following

flag



perl quote() function sql injection bypass

Analyse the following perl code

if ('POST' eq request_method && param('username') && param('password')){
    my $dbh = DBI->connect( "DBI:mysql:natas30","natas30", "<censored>", {'RaiseError' => 1});
    my $query="Select * FROM users where username =".$dbh->quote(param('username')) . " and password =".$dbh->quote(param('password')); 

    my $sth = $dbh->prepare($query);
    $sth->execute();
    my $ver = $sth->fetch();
    if ($ver){
        print "win!<br>";
        print "here is your result:<br>";
        print @$ver;
    }
    else{
        print "fail :(";
    }
    $sth->finish();
    $dbh->disconnect();
}

print <<END;

Now The main thing to note here is the quote() function which is basically like the mysqlrealescapestring() function in php.As per the documentation quote() escape any special characters (such as quotation marks) contained within the string

Accoring this This link when we submit a list of arguments to quote() function then the second argument is used to determin the type of the first argument . Here is the trick if the second argument is of type non-string then the first argument is returned without quoting Now to get a list of SQL Data type and their respective codes go to the following link

An exmple of the Request parameters would look like this

user=admin&pass='pss' or 1=1&pass=2

Natas 30 writeup

Following is a real live example of the vulnerability explained above

http://natas30.natas.labs.overthewire.org/

Login with the credentials from the last level.

payload

flag

tags: web - overthewire
Contact me : Twitter , Facebook