dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Works in Unix (Ubuntu). Check for command separator was not present in the exec.

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@452 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
mayhew64@gmail.com 2012-04-23 23:11:51 +00:00
parent 0c0483b1ac
commit 202469b6f3
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
webgoat/src/main/java/org/owasp/webgoat/lessons/CommandInjection.java
View File

@ -244,7 +244,8 @@ public class CommandInjection extends LessonAdapter
{ {
System.out.println("Executing OS command: " + Arrays.asList(command)); System.out.println("Executing OS command: " + Arrays.asList(command));
ExecResults er = Exec.execSimple(command); ExecResults er = Exec.execSimple(command);
if (!er.getError()) // the third argument (index 2) will have the command injection in it
if ((command[2].indexOf("&") != -1 || command[2].indexOf(";") != -1) && !er.getError())
{ {
makeSuccess(s); makeSuccess(s);
} }