From 202469b6f3e8934beb04c9a8d5738660df734673 Mon Sep 17 00:00:00 2001 From: "mayhew64@gmail.com" Date: Mon, 23 Apr 2012 23:11:51 +0000 Subject: [PATCH] Works in Unix (Ubuntu). Check for command separator was not present in the exec. git-svn-id: http://webgoat.googlecode.com/svn/trunk@452 4033779f-a91e-0410-96ef-6bf7bf53c507 --- .../main/java/org/owasp/webgoat/lessons/CommandInjection.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/webgoat/src/main/java/org/owasp/webgoat/lessons/CommandInjection.java b/webgoat/src/main/java/org/owasp/webgoat/lessons/CommandInjection.java index 3ee6092a9..9c50cc611 100644 --- a/webgoat/src/main/java/org/owasp/webgoat/lessons/CommandInjection.java +++ b/webgoat/src/main/java/org/owasp/webgoat/lessons/CommandInjection.java @@ -244,7 +244,8 @@ public class CommandInjection extends LessonAdapter { System.out.println("Executing OS command: " + Arrays.asList(command)); ExecResults er = Exec.execSimple(command); - if (!er.getError()) + // the third argument (index 2) will have the command injection in it + if ((command[2].indexOf("&") != -1 || command[2].indexOf(";") != -1) && !er.getError()) { makeSuccess(s); }