Tomáš Pospíšek's Notizblock

Jakub Wilk's URL exploit

Recently Jakub Wilk made a curious blog post. It consists solely of a link.

Since the URL contains a shell script I was wondering what the purpose was - a browser wouldn't execute that shell code, right?

But then I got it: the target of this "exploit URL" is the command line or, respectively, automatic shell scripts.

If used unquoted on the command line, the URL - containing shell metacharacters - will actually execute commands.

The same will happen if that URL is accessed unquoted in some shell script (f.ex. link checking scripts, spiders, or scripts that use a web service).

Tomáš Pospíšek, 2015-09-22