Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Improper Neutralization of Special Elements used in a Command in Shell-quote #26
wh0 Posted 3 Years Ago- The main way the escaping was done, was via regex. The Regex had a hilarious bug in it. It was simply
A-z. What does this do? Get all ASCII characters from A-Z, a-z and everything in between. What they meant was[A-Za-z]. - What's in the middle?
:,;,<,=,>,?and@were now allowed in the command. In particular, the semicolon could finish a bash command, only to start a new one. Fascinating to see a bug destroy the whole existence of the package.
