This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Code Injection"
From OWASP
Thandermax (talk | contribs) (→Examples) |
Thandermax (talk | contribs) (→Examples) |
||
| Line 15: | Line 15: | ||
Such as : | Such as : | ||
| − | <!--#exec cmd="ls"--> | + | < !--#exec cmd="ls" -- > |
will show all the files in current directory is the server is on a UNIX/LINUX machine. | will show all the files in current directory is the server is on a UNIX/LINUX machine. | ||
| Line 21: | Line 21: | ||
| − | for Windows platform : | + | for Windows platform : < !--#exec cmd="dir"-- > |
This can be used for destructive purpose also , as the commands are executed in root/admin previlage. | This can be used for destructive purpose also , as the commands are executed in root/admin previlage. | ||
| − | Such as <!--#exec cmd="format c:"--> | + | Such as < !--#exec cmd="format c:"-- > |
==Related Threats== | ==Related Threats== | ||
Revision as of 08:41, 24 July 2006
- This is an Attack. To view all attacks, please see the Attack Category page.
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.
Description
This article should cover attacks based on injecting code into a running application.
Examples
If server side scripting is enabled in some address (such as guestbook , where user can insert data) then the SSI attack can be done.
Such as :
< !--#exec cmd="ls" -- >
will show all the files in current directory is the server is on a UNIX/LINUX machine.
for Windows platform : < !--#exec cmd="dir"-- >
This can be used for destructive purpose also , as the commands are executed in root/admin previlage.
Such as < !--#exec cmd="format c:"-- >
