Command injection lesson not working correctly

Description

From the mailinglist reported by Mitchell Fisher:

At Bruce's suggestion, here is another.

I couldn't get the Command Injection solution to work on Windows in WebGoat 6.0.1, Build: 247. The & separator between Windows command line commands is also the parameter separator in the POST data, and messed up the parameter parsing?

I was able to do the attack by using the || separator, which on Windows means that if the first command fails, execute the second command. So I misspelled the file name to type and followed it with my added command, and only one command:

HelpFile=AccessControlMatrixXX.help" || netstat -an&SUBMIT=View

Which returned the result of netstat to my screen but did not give me credit

Perhaps the test in the exec() methods could be changed from:

if ((command[2].indexOf("&") != -1 || command[2].indexOf(";") != -1) && !er.getError())

to:

if ((command[2].indexOf("netstat") != -1) && !er.getError())

Environment

None

Status

Assignee

Nanne Baars

Reporter

Nanne Baars

Labels

None

Components

Affects versions

WebGoat 6.1

Priority

Blocker