In my Bash CGI script, I take a command passed as GET parameter and execute it. This could be:
在我的Bash CGI脚本中,我接受一个作为GET参数传递的命令并执行它。这可能是:
CMD='ls -al'
$CMD
Which works fine and produces expected output. But if I try to pass two commands with
哪个工作正常并产生预期的输出。但是,如果我尝试传递两个命令
CMD='ls -al; echo hello'
$CMD
or
CMD='ls -al && echo hello'
$CMD
neither command gets executed.
两个命令都没有执行。
How can I run multiple commands from the same line/variable in my bash CGI?
如何在bash CGI中从同一行/变量运行多个命令?
1 个解决方案
#1
0
You can execute variables as bash code using bash
:
您可以使用bash将变量作为bash代码执行:
# UNSAFE, DO NOT USE
cmd='ls -al; echo hello'
bash -c "$cmd"
Alternatively, depending on the context you want to run it in, you can use eval "$cmd"
to run it as if it was a line in your own script, rather than a separate piece of shell code to execute:
或者,根据您要运行它的上下文,您可以使用eval“$ cmd”来运行它,就好像它是您自己脚本中的一行,而不是要执行的单独的shell代码:
# UNSAFE, DO NOT USE
cmd='ls -al; echo hello'
eval "$cmd"
Both of these methods have serious implications for security and correctness, so I felt I had to add warnings to prevent them from being copied out of context.
这两种方法都对安全性和正确性产生严重影响,因此我觉得我必须添加警告以防止它们被复制出去。
For your remote shell or root kit specifically meant to run insecure user input, you can ignore the warnings.
对于专门用于运行不安全用户输入的远程shell或root工具包,您可以忽略警告。
#1
0
You can execute variables as bash code using bash
:
您可以使用bash将变量作为bash代码执行:
# UNSAFE, DO NOT USE
cmd='ls -al; echo hello'
bash -c "$cmd"
Alternatively, depending on the context you want to run it in, you can use eval "$cmd"
to run it as if it was a line in your own script, rather than a separate piece of shell code to execute:
或者,根据您要运行它的上下文,您可以使用eval“$ cmd”来运行它,就好像它是您自己脚本中的一行,而不是要执行的单独的shell代码:
# UNSAFE, DO NOT USE
cmd='ls -al; echo hello'
eval "$cmd"
Both of these methods have serious implications for security and correctness, so I felt I had to add warnings to prevent them from being copied out of context.
这两种方法都对安全性和正确性产生严重影响,因此我觉得我必须添加警告以防止它们被复制出去。
For your remote shell or root kit specifically meant to run insecure user input, you can ignore the warnings.
对于专门用于运行不安全用户输入的远程shell或root工具包,您可以忽略警告。