The safety of CGI (2)

Safe risk relies on you how to call these external program. Finish this job to there are a lot of functions to be able to come true in Perl and C. A lot of function in them are passed call Shell, let Shell execute this order next. These commands are in to express by the row 1 in, if you used one of them, so you make Unix Hells appears very flimsy below attack.

Express 1. The function of Shell can be transferred in C and Perl.
Function of C of  of  of  of  of  of  of  of  of  of  of  Perl function
 System(’ . . . System(of  of  of  of  of  of  of ’)   )
 Open(’ | . . . Popen(of  of  of  of  of  of  of ’)   )
 Exec(’ . . . ’ )

 Eval(’ . . . ’ )

` of  of    . . . `

Why is Shell very dangerous? The is not a number character that has a lot of can be changed into special character through Shell. These character are called yuan of character (translator notes: Interpret of Etacharacter of 玬 of Yu engrave cure is yuan of character) , see a table 2.

Express 2. Shell Metacharacters.
;<>* | `&$
! # () [] : {
}’}


Each this kind of character is having special effect in Shell. For example, if you want to use Finger to come,go to result memory in a file, you can be in command travel following inputs:
Finger @fake.machine.org>Results

In this meeting use Finger inquires lead plane Fake.machine.org and saving inquiry Results of file of a text as a result. This > character is a heavy directional accord with here. If you want practically to use > character —— for example, you want to answer it show the —— on screen you will need to add to turn over sprit before this character. Cite a case, xiang Bing act outputs > of a symbol below:
Echo>

This is called escape character (Escaping Or Sanitizing The Character String) .
Is Hacker how to use this to serve as him (her) of the advantage? Watch the following program 3 useful the Finger program that Perl writes. What this program place does is to allow an user to inquire an user and the detailed information of one stage lead plane, and, this CGI can inquire an user and show a result.