使用ESAPI执行器时如何使用运算符>>?
[英]How to use the operator >> while using the ESAPI executor?
问题描述
While using the ESAPI executor to run a simple command such as:
在使用 ESAPI 执行器运行一个简单的命令时,例如:
C:\\Windows\\System32\\cmd.exe /c echo test >> D:\\wow\\test.txt
while the C:\Windows\System32\cmd.exe is the executable file.而C:\Windows\System32\cmd.exe是可执行文件。 and the /c echo test >> D:\wow\test.txt are parameters.和/c echo test >> D:\wow\test.txt是参数。 The problem is that the codec ruins the operator >> (which means avoiding it or referring to it as a String. so the output will be just be printing the "test >> D:\wow\test.txt".问题是编解码器破坏了运算符>>(这意味着避免它或将其作为字符串引用。因此 output 将只是打印“test >> D:\wow\test.txt”。
1 个解决方案
解决方案1
2 已采纳 2020-05-17 15:55:23
The codec is doing exactly what it should be doing.编解码器正在做它应该做的事情。 Maybe an overly simple example would make that more clear as to why this is the correct behavior.也许一个过于简单的例子可以更清楚地说明为什么这是正确的行为。
Let's suppose you have a web application where you have a user upload a document and then you run a spell-check on it for them and send them back the corrected results.假设您有一个 web 应用程序,用户在其中上传文档,然后您为他们运行拼写检查并将更正后的结果发回给他们。 For sake of simplicity, left's assume that you have set the current working directory to be specific to each user using your service and that you have a "spellcheck.bat" that takes a single filename as an argument and you planned to execute the string:为了简单起见,我们假设您已将当前工作目录设置为特定于使用您的服务的每个用户,并且您有一个“spellcheck.bat”,它将单个文件名作为参数,并且您计划执行该字符串:
C:\Windows\System32\cmd.exe /c C:\spelling\spellcheck.bat userFilename > spelling-errors.txt
where userFilename is the name of the users uploaded file.其中userFilename是用户上传文件的名称。 Your intent is to run spellcheck.bat with the user's uploaded file and filename and the read and display the 'spelling-errors.txt' file back to the user.您的目的是使用用户上传的文件和文件名运行 spellcheck.bat,然后读取并向用户显示“spelling-errors.txt”文件。 (IRL, that would probably be a temp file in a different directory, but I want to make this simple.) (IRL,这可能是不同目录中的临时文件,但我想让它变得简单。)
So what happens if 'userFilename' contains a '>' character?那么如果“userFilename”包含“>”字符会怎样呢? Surely you want that quoted appropriately, do you not?您肯定希望适当地引用它,不是吗? Because otherwise an attacker might be able to overwrite some file that you don't want to be overwritten, including things like your web.xml or other configuration / properties files.因为否则攻击者可能会覆盖一些您不想覆盖的文件,包括您的 web.xml 或其他配置/属性文件。 Because running something like (say)因为运行类似(说)
C:\Windows\System32\cmd.exe /c C:\spelling\spellcheck.bat myDoc.txt >sucker.txt > spelling-errors.txt
is going to create 'sucker.txt' and if that filename exists, it will be truncated and replaced by the output of "spellcheck.bat myDoc.txt".将创建“sucker.txt”,如果该文件名存在,它将被截断并替换为“spellcheck.bat myDoc.txt”的 output。 That is probably NOT what you want.那可能不是你想要的。
So preventing file I/O redirection operations via '<', '<<', '>', and '>>' is intended.因此,旨在防止通过“<”、“<<”、“>”和“>>”进行文件 I/O 重定向操作。 If you really want to allow them (and I recommend against it), then you will have to parse your own command string based on what you want to allow.如果你真的想要允许它们(我建议不要这样做),那么你将不得不根据你想要允许的内容来解析你自己的命令字符串。
Also, while I'm not sure it is true for Window's cmd prompt shell, it certainly is true for *nix shells that one can also do command execution in the redirection as part of the file redirection.此外,虽然我不确定 Window 的 cmd 提示符 shell 是否正确,但对于 *nix shell 来说确实如此,作为文件重定向的一部分,也可以在重定向中执行命令。 For example, in bash, I can do something like this比如bash,我可以这样操作
cat < $(ls foo)
and if the file 'foo' exists, the 'ls foo' command will list the output foo, so this command becomes:如果文件“foo”存在,“ls foo”命令将列出 output foo,因此此命令变为:
cat < foo
and we just end up taking stdin for the 'cat' command from the file 'foo'.我们最终从文件“foo”中为“cat”命令获取标准输入。 But an attacker could do something much more nefarious with it.但是攻击者可以用它做一些更邪恶的事情。 Of course, the OS codec also prevents '$(...)' style command substitutions, but I hopefully have made my point.当然,操作系统编解码器也会阻止“$(...)”样式的命令替换,但我希望我已经表达了我的观点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.