I'm doing a small exercise with command injections, and I have this command that I can make injections into:
grep -i $key dictionary.txt
where $key is the part I can inject something into.
Now, I know the intended solution here is to use ; to terminate one statement, and then construct a new one.
But I wanted to see if I could use the grep in my attempt.
What I want to do is to run ls, in order to see the files in a specific directory.
I want to use the two in conjunction like so:
ls | grep -i "."
But, since I'm doing an injection, I need the grep -i to be first.
So is there anything I can do? perhaps a pipe operator that works in the "reverse" order?
grep -i "." <| ls
EDIT
There seems to be a bit of confusion as to what I am doing here, and what I am trying to achieve.
I am doing some introductory exercises on pen-testing.
My current exercise is to do a injection on a website, that has this string in it:
grep -i $key dictionary.txt
and then uses that string to run a command. I need to inject something into this string, which will be a command injection.
I do not have control over the string as it is already written on the server, and thus I cannot put anything in to the left of grep -i.
I have a solution already, where I inject the following:
; ls /etc/natas_webpass #
Which then (when I inject it) creates this command which runs on the server
grep -i ; ls /etc/natas_webpass # dictionary.txt
Buy I would like to try to solve this exercise not using the semicolon, but perhaps actually use grep that is already there.
EDIT 2
A suggestion has been made that I am simply looking for <(ls).
I tried testing this by running:
$ grep -i <(ls)
This does not work, though; nothing happens.
"$key"would avoid any injection attempt. Write proper code and reduce the attack surface – Chris Davies Sep 07 '21 at 17:18<(ls)– jordanm Sep 07 '21 at 17:20%Keyspot, which is why the final command will have to start withgrep -i– NotQuiteSo1337 Sep 07 '21 at 17:20grep -i "."will show you only filenames with a literal.in them? That won't work. In a regular expression,.means match any character. If you want it to not have that meaning, you need to "escape" it with a backslash. e.g.ls | grep '\.'. BTW, before you go too far down this path, see Why not parsels(and what to do instead)?. – cas Sep 07 '21 at 17:22"."will match all characters in the output fromlsI am currently looking at, and therefore print all of it out for me to see – NotQuiteSo1337 Sep 07 '21 at 17:24>(ls)instead of<(ls). But you were supposed to solve the exercise by yourself, what's the fun in asking people around? – Sep 07 '21 at 17:59grep -i <(ls)does not work because grep requires a string to match. You have your (optional) flag(s) (-i), a source of strings (ls), although you shouldn't parse the output ofls, but you are missing the string to search for.grep -i . <(ls)is a valid command, as.is the "string" to search for. I highly recommend you read an introductory course to Bash, as the basics seem to be missing. – Thegs Sep 07 '21 at 18:01lsin addition togrep. You're not exactly "using"grepitself. In addition to just piling the second command there with a semicolon (or newline, or&, or&&/||), you could use a command substitution$(...)or if the shell supports it, the process substitution<(...)that was already mentioned. – ilkkachu Sep 07 '21 at 18:09$keyis not pasted in the code, but set via the environment ;-) – Sep 07 '21 at 18:11<( ), but it doesnt work when I inject it. Perhaps the target shell doesnt support it – NotQuiteSo1337 Sep 07 '21 at 18:26