Bash: unquoted expression injection¶

root-me challenge: Bash - unquoted expression injection: Bypass this script’s security to recover the validation password.

./somescript "0 -o foo" makes any condition become

test 1234 -eq 0 -o foo

This is the equivalent of 1234 == 0 || "foo" in other languages, with one irrelevant comparison OR’d with the truth value of the string foo.

All non-empty strings are considered to be true, so this expression is always true.

Counter moves¶

An unquoted expansion lets input become code. Quoting and validating input are the fixes. The defender’s view is in the blue notes on the application layer as a target.