All Collections
HackEDU Lesson Help
Command Injection Lesson Help
Add File Vulnerability Not Fixed (Command Injection Lesson)
Add File Vulnerability Not Fixed (Command Injection Lesson)
Rachel Yonan avatar
Written by Rachel Yonan
Updated over a week ago

Issue:

The command injection vulnerability has not been fixed in the create file function.


โ€‹

Test:

Please review the Defense section of the lesson and try again. Remember that using regular expressions to filter out dangerous OS injection syntax is hard to do correctly and not recommended.

Instead, reference the given code examples to replace the vulnerable code with safer functions that are specifically designed to create files rather than execute arbitrary shell commands.

You can test if your patch works correctly by reattempting the Blind Injection exploit and entering test1; ping -i 1 -c 15 127.0.0.1 as the filename. If your patch works as expected, you should see multiple files created: test1;, ping, -i, etc.

Did this answer your question?