Scenario is this. I have logged into a web server as admin through the Login pag

Question

Scenario is this.

I have logged into a web server as admin through the Login page in browser. it has displayed me with a home page of sorts that has an input box with a button next to it saying "ping"

it essentially will ping any ip address that you input. (tested with local and external URL's)

I know for a fact the service running on the web server is running as root.

my question is this. can i put in an IP address and then pipe a command after it to elevate my privileges?

For Example... (excluding the actual ping command in actuality)

the command shell running the ping is running under root (99% sure of this) so in theory it should allow me to elevate a users privileges on the system? please correct me if i'm wrong.

thanks in advance

Explanation / Answer

If the command shell is running as root and User supplied input is not properly validated then it will execute whatever command you will pass to the shell. I think there will be proper validation of the inputs passed by the users. Like when a user will enter the IPv4 address then it will be combination of integers and dots and for IPv6 it will be integer and : . So when the user will pass the value then definitely it will be validated before passing it to shell using variable.

Related Questions

Navigate

• Browse (All)
• Browse S
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.