[prev in list] [next in list] [prev in thread] [next in thread] 

List:       owasp-testing
Subject:    Re: [Owasp-testing] Fwd: Query about command injection
From:       Pranav Venkat <venkatsiva1994 () gmail ! com>
Date:       2017-02-09 11:58:55
Message-ID: CAFoaoo9NQZNk2=Eeqtim33AgUaA9o=RvRTPJ6vAA1iVSaXMf8g () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hi Ismael,

Command runs in the dedicated docker (cloudshell) which is provided by
Google, So this directly doesn't affect Google data  it just affects
particular user data (eg. appengine files).

Since it is affecting particular client data , I termed it as Client side
command injection.

Do let me know if you have queries,

Thanks,

On Thu, Feb 9, 2017 at 4:51 PM, Ismael Rocha <ismaelrocha.projetos@gmail.com
> wrote:

> So, congrats for the finding the issue.
>
> Reading quickly it seems to be a regular command injection. At the end
> of the day, this needs to run at the backend, right?
>
> Ismael Goncalves
> https://sharingsec.blogspot.com
>
> On Thu, Feb 9, 2017 at 3:45 AM, Pranav Venkat <venkatsiva1994@gmail.com>
> wrote:
> > Hi Team,
> >
> >  By March 2016 I found a command injection in Google cloud. I termed it
> as '
> > client side command injection ' due to application behavior itself.
> >
> > Please check this link
> > www.pranav-venkat.com/2016/03/command-injection-which-got-me-6000.html
> >
> > and let me know if we can include it under command injection category
> > (sub-category)
> >
> >
> > Thanks and regards,
> > --
> > Venkatesh S
> > @pranavvenkats
> > skype - venkat19942010
> > http://www.pranav-venkat.com
> >
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing@lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-testing
> >
>
>
>
> --
> Ismael Gonçalves
>



-- 
Venkatesh S
@pranavvenkats
skype - venkat19942010
http://www.pranav-venkat.com

[Attachment #5 (text/html)]

<div dir="ltr">Hi Ismael,<div><br></div><div>Command runs in the dedicated docker \
(cloudshell) which is provided by Google, So this directly doesn&#39;t affect Google \
data   it just affects particular user data (eg. appengine \
files).</div><div><br></div><div>Since it is affecting particular client data , I \
termed it as Client side command injection.</div><div><br></div><div>Do let me know \
if you have queries,</div><div><br></div><div>Thanks,</div></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Thu, Feb 9, 2017 at 4:51 PM, \
Ismael Rocha <span dir="ltr">&lt;<a href="mailto:ismaelrocha.projetos@gmail.com" \
target="_blank">ismaelrocha.projetos@gmail.com</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">So, congrats for the finding the issue.<br> <br>
Reading quickly it seems to be a regular command injection. At the end<br>
of the day, this needs to run at the backend, right?<br>
<br>
Ismael Goncalves<br>
<a href="https://sharingsec.blogspot.com" rel="noreferrer" \
target="_blank">https://sharingsec.blogspot.<wbr>com</a><br> <div><div \
class="h5"><br> On Thu, Feb 9, 2017 at 3:45 AM, Pranav Venkat &lt;<a \
href="mailto:venkatsiva1994@gmail.com">venkatsiva1994@gmail.com</a>&gt; wrote:<br> \
&gt; Hi Team,<br> &gt;<br>
&gt;   By March 2016 I found a command injection in Google cloud. I termed it as \
&#39;<br> &gt; client side command injection &#39; due to application behavior \
itself.<br> &gt;<br>
&gt; Please check this link<br>
&gt; <a href="http://www.pranav-venkat.com/2016/03/command-injection-which-got-me-6000.html" \
rel="noreferrer" target="_blank">www.pranav-venkat.com/2016/03/<wbr>command-injection-which-got-<wbr>me-6000.html</a><br>
 &gt;<br>
&gt; and let me know if we can include it under command injection category<br>
&gt; (sub-category)<br>
&gt;<br>
&gt;<br>
&gt; Thanks and regards,<br>
&gt; --<br>
&gt; Venkatesh S<br>
&gt; @pranavvenkats<br>
&gt; skype - venkat19942010<br>
&gt; <a href="http://www.pranav-venkat.com" rel="noreferrer" \
target="_blank">http://www.pranav-venkat.com</a><br> &gt;<br>
</div></div>&gt; ______________________________<wbr>_________________<br>
&gt; Owasp-testing mailing list<br>
&gt; <a href="mailto:Owasp-testing@lists.owasp.org">Owasp-testing@lists.owasp.org</a><br>
 &gt; <a href="https://lists.owasp.org/mailman/listinfo/owasp-testing" \
rel="noreferrer" target="_blank">https://lists.owasp.org/<wbr>mailman/listinfo/owasp-testing</a><br>
 &gt;<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
--<br>
Ismael Gonçalves<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div \
class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Venkatesh \
S<div>@pranavvenkats</div><div>skype - venkat19942010</div><div><a \
href="http://www.pranav-venkat.com" \
target="_blank">http://www.pranav-venkat.com</a></div></div></div> </div>



_______________________________________________
Owasp-testing mailing list
Owasp-testing@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-testing


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic