Be wary of user input! - How to fail at using Popen

Shortly afterwards, @pry0cc found out that if you change your nickname to a command such as echo, then type in this: “@topic 882;something”, the command would be executed with “something” as an argument. The problem lied in the way the bot interfaced with discourse, by executing a shell command to run a ruby script.


I can personally attest to the fallacies of popen. I just had to blacklist more than a dozen characters so that my system wouldn’t explode. AFAIK, I was only vulnerable to single-word commands, like ls.


We pwned your bot xD

1 Like

Do you mind including the code, and how the exploit worked? I’ll do a detailed write-up tommorow.

My code, @pry0cc?

20 characters at least.

Look what I found in a file called test:

Looking up
Location: Mountain View, CA, United States
Weather right now: 

 e[38;5;226m    \   /    e[0m Sunny
 e[38;5;226m     .-.     e[0m e[38;5;226m75e[0m – e[38;5;220m77e[0m °Fe[0m     
 e[38;5;226m  ― (   ) ―  e[0m e[1m↘e[0m e[38;5;220m10e[0m mphe[0m       
 e[38;5;226m     `-’     e[0m 9 mie[0m           
 e[38;5;226m    /   \    e[0m 0.0 ine[0m         

@Joe_Schmoe, it seems it worked.

1 Like

It’s probably a leftover from when you didn’t have “>” blacklisted and I did “@iplookup>>test”

1 Like

Yeah the C code for your bot.

grab it while it’s hot


I am on IRC, nothing happens.

I leave for a few hours, then this shit happens…




I feel ya mate :cry:

I’m considering making an alert bot that links with my phone via Push bullet so.that people can get hold of me, sort of an IRC pager. Would you wanna be on the bot?

1 Like

You should tell me more about it when I get on IRC later today.