How can I run a unix command without using a space character so that I can execute a remote command?

Question

I've been learning about remote/arbitrary command execution. In doing so, I came across some Ruby I thought would be fun to try and exploit.

I've been somewhat successful as I managed to get it to run the 'ls' command, but I can't work out how to add space characters into my commands. If I add a space in, the parse method that URI calls throws an exception.

Here's the code I was trying to exploit:

injection = "www.google.com';ls;#"

require 'uri'
URI.parse(injection)
puts `curl '#{injection}'`

So your challenge, should you choose to accept it, is to run an 'ls -l' command instead of 'ls' by only changing the injection string. You may not change anything but the first line.

Things I've tried:

ls%2f-l   - # Doesn't raise an exception but unix doesn't unescape CGI encodings.
ls\x20-l  - # Raises an exception because Ruby parses the UTF-8.

# Other various escape combinations (\\x20, etc)

Maybe it's not possible?

Thanks

Answer 1

You can use the Internal Field Separator (<space><tab><newline>). Since this is what the shell separates with anyway, it will accept it as a separator.

injection = "www.google.com';ls$IFS-l;#"

(BTW, thanks for a nice Saturday night puzzle.)

Answer 2

Is - it's possible. Just put your string in quotes:

1) from a command prompt:

two strings # No quote: the shell sees two strings

"one string" # with single (') or double quotes (") the shell sees only one string

2) from a string literal

mystring = "\"this will be interpreted as one string\"";