epinna/weevely3

Exec shell commands as given

az0r3 opened this issue · 1 comments

az0r3 commented

Hi. Straight to the point:

The what

When executing any command with arguments, which contain spaces and are enclosed in ' or ", quotes are stripped and arguments are therefore fucked up.
Example:

$ curl -v -H "Content-Type: application/json" -s http://127.0.0.1
* Hostname was NOT found in DNS cache
* Could not resolve host: application
* Closing connection 0
* Rebuilt URL to: http://127.0.0.1/
* Hostname was NOT found in DNS cache
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#1)
> GET / HTTP/1.1
> User-Agent: curl/7.38.0
> Host: 127.0.0.1
> Accept: */*

Note: Could not resolve host: application and no Content-Type: application/json in actual connection. Why?

The why

Log is a nice thing to have. There is a
[D][php] PAYLOAD chdir('[redacted]');@error_reporting(0);@system('curl -v -H Content-Type: application/json -s http://127.0.0.1 2>&1');
there. Wtf?

The wtf

It turns out you correctly parse the shell comand (module.py@96):
command = shlex.split(line)
And reconstruct it, joining args as-is, without any quotes (sh.py@120):
self.args['command'] = ' '.join(self.args['command']).replace("'", "\\'")
(probably you wanna also escape the \ here)
Wtf? Why is there a need to split the command and then join it back?
(If the answer is to validate shell command, it fails to do that, verify by echo "test )

The proposal

This is frustrating and clearly not a feature, but a bug. Can't be fixed by joining args with ' or " because of difference in env vars expansion between quotes, the shell must execute what was planned, exactly.
Variant 1. One of mainainers fixes this by running original command, not reparsed.
Variant 2. Someone explains to me the structure of your code (from terminal.py@74 to php.py@108) and I'll be able to make a pull request. Without docs is takes time to understand some lines, for example:
why is there a '--' at module.py@217-219:
modules.loaded['shell_sh'].run_cmdline('%s -- %s' % (cmd, args))

epinna commented

Ignore my previous answer, the fix was related to the management of the aliases command (such as curl). You'll find the fix in the next release 4.0.0.