Skip to content
logo
Red tradecraft
Perl: Command injection
  • Privacy greenhouse
  • Defence blues
  • Purple crossroads
  • Indigo observatory
  • Contact
Initializing search
    • In: Where the falcons and foxes roam
    • Through: Where the raccoons burrow and rummage
      • The art of staying where you are not wanted
        • The field guide to staying unnoticed
        • Persistence runbooks
        • Digging under the Linux shed
        • Dumpster diving behind the windows store
        • Where the raccoon learns to never leave
        • Burrows, backdoors, and bashful shenanigans
          • Bash: System 1
          • sudo: weak configuration
          • Bash: System 2
          • LaTeX: Input
          • Powershell: Command Injection
          • Bash: unquoted expression injection
          • Perl: Command injection
            • Resources
            • Counter moves
          • Bash: cron
          • Python input()
          • Python pickle
      • Overflowing the bin on purpose
      • Reverse engineering
      • Steganography
      • Crypto-attacks
      • Slipping through the cracks
    • Out: Where squirrels swipe the crown jewels
    • Fungolia earthworks
    • Unseen University Power & Light Co.
    • The Scarlet Semaphore
    • Resources
    • Counter moves

    Perl: Command injection¶

    root-me challenge: Perl - Command injection: Retrieve the password stored in .passwd.

    >>> |cat .passwd

    Resources¶

    • Security Issues in Perl Scripts

    • Perl

    Counter moves¶

    Perl reaching a shell with tainted input is the bug. Taint mode and parameterised calls are the defence. The defensive counterpart is in the blue notes on the application layer as a target.

    2026-06-14 18:23
    © Copyright 2025, TyMyrddin.
    Created using Sphinx 7.2.6. and Sphinx-Immaterial

    Made with love in the Unseen University, 2025, with a forest garden fostered by /ut7