• 0 Posts
  • 22 Comments
Joined 1 year ago
cake
Cake day: June 13th, 2023

help-circle

  • if this is your first time doing a big trip together, honestly, forget about it being prefect. it won’t be, and that’s ok. trips don’t need to be perfect to be meaningful, in fact, i’ve found the opposite to be true. the more wild and unexpected the adventure is, the more memorable and important it becomes to me.

    so I’d say it’s best to keep an idea of things you’d like to see or do, but also be flexible and willing to adapt. traveling with someone that forces everyone to stick to a rigid itinerary is never fun and is a good way to ruin the trip. all it takes is one lost bag or one missed train to throw all your careful planning out the window. better to roll with the punches than self destruct when that happens.







  • hatedbad@lemmy.sdf.orgtoSecurity@programming.dev*Permanently Deleted*
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    3
    ·
    8 months ago

    even in your hypothetical of a file name passed in through the args, either the attacker has enough access to run said tool with whatever args they want, or, they have taken over that process and can inject whatever args they want.

    either attack vector requires a prior breach of the system. you’re owned either way.

    the only way this actually works as an exploit is if there are poorly written services out there that blindly call through to CreateProcess that take in user sourced input without any sanitization, which if you’re doing that then no duh you’re gonna have a bad time.

    cmd.exe is always going to be invoked if you’re executing a batch script, it’s literally the interpreter for .bat files. the issue is, as usual, code that might be blindly taking user input and not even bothering to sanitize it before using it.