Nim, known for its efficiency and expressiveness, isn't immune to the subtle intricacies of command execution on Windows. By experimenting with a simple Nim script designed to execute a `test.bat` file with varying inputs, we uncover the nuances of command injection vulnerability.
6
6
7
+
**Your system could be vulnerable if it matches these conditions:**
8
+
9
+
- Operating on Windows
10
+
- Executes commands within the application
11
+
- Accepts user input
12
+
- Executes batch files based on user input
13
+
7
14
### The Experiment
8
15
9
16
The Nim script executes the batch file in three distinct manners:
10
-
- Without quoting the shell input.
11
-
- With quoting, using `quoteShell`.
12
-
- Direct shell command execution.
17
+
- Without quoting the shell inputusing`execProcess`
18
+
- With quoting, using `quoteShell`using`execProcess`
19
+
- Direct shell command executionusing`execShellCmd`