Is it possible to inject commands in shell scripts without using eval?

Question

Is it possible to inject commands in shell scripts without using eval?

I was wondering, currently with the latest versions of w, bash, ksh, etc. Is it possible to get an injection of a command by running this (very simple) script?

#!/bin/sh

echo "What is the name of the program you are looking for?"
read program
locate $program

Despite the fact that it is already possible to execute the code if they have a shell, of course, I'm just wondering if the variable can contain malicious code, for example, in PHP:

parameter=parameter;ls

You can also ignore shellshock (env variables) in this matter.

+4

security linux bash shell code injection

aentgood May 6 '15 at 8:09

source share

2 answers

, , , . , locate . :

#!/bin/sh

echo "What is the name of the program you are looking for?"
read program
locate "${program}"

+1

user1978011 06 '15 8:46

Azize · Accepted Answer · 2015-05-06T08:35:41+0000

Yes it is possible. But it is not as simple as you mentioned. The following is an example.

Does not work:

$ read -p "Type some text:" var1
Type some text:Example;hostname

$ echo $var1
Example;hostname

$ $var1
Example;hostname: command not found

But if you use this, yes, it will work:

$ read -p "Type some text:" var1
Type some text:hostname

$ echo $var1
hostname

$ $var1
SSBLZMVM1

Is it possible to inject commands in shell scripts without using eval?

More articles: