Works in Unix (Ubuntu). Check for command separator was not present in the exec.

git-svn-id: http://webgoat.googlecode.com/svn/trunk@452 4033779f-a91e-0410-96ef-6bf7bf53c507
2012-04-23 23:11:51 +00:00 · 2012-04-23 23:11:51 +00:00 · 202469b6f3
commit 202469b6f3
parent 0c0483b1ac
1 changed files with 2 additions and 1 deletions
--- a/webgoat/src/main/java/org/owasp/webgoat/lessons/CommandInjection.java
+++ b/webgoat/src/main/java/org/owasp/webgoat/lessons/CommandInjection.java
@ -244,7 +244,8 @@ public class CommandInjection extends LessonAdapter
 	{
 		System.out.println("Executing OS command: " + Arrays.asList(command));
 		ExecResults er = Exec.execSimple(command);
-		if (!er.getError())
+		// the third argument (index 2) will have the command injection in it
+		if ((command[2].indexOf("&") != -1 || command[2].indexOf(";") != -1) && !er.getError())
 		{
 			makeSuccess(s);
 		}