I'm not saying that this code is definately exploitable.. just that it could be, in theory. Maybe if $3 was something like:
!add room $+($network,$chr(41),$chr(32),echo,$chr(32),-s,$chr(32),pwned,$chr(32))
I think that would evaluate to:
"<networkname>) echo -s pwned "
.. add that to the rest of the line when it is evaluated the second time over the scon command..
if ($network == [color:red]$network) echo -s pwned) inc % $+ i[/color]
No.
Thats evaluating it 3 times.
This is what i beleive would happen.
(script)
scon -at1 if ($network == $3) inc %i
(evaluation 1)
if ($network == $+($network,$chr(41),$chr(32),echo,$chr(32),-s,$chr(32),pwned,$chr(32))) inc %i
(evaluation 2)
if (
networkname ==
networkname) echo -s pwned )) inc %i
The two italic fields well not match so %i well not be incremented
From what i have looked at you need more that one $N value, however I wouldnt take that as written in stone.
* im also not sure if the %i would get evaluated out to its contents, this might be a special non evaluated variable due to the procedding INC command. (i didnt check)
I have found simple tricks can often get around problems, just ensure the $3 cant be evaluated.
(script)
scon -at1 if (~ $!+ $!network == ~ $+ $3) inc %i
(evaluation 1)
if (~ $+ $network == ~$+($network,$chr(41),$chr(32),echo,$chr(32),-s,$chr(32),pwned,$chr(32))) inc %i
(evaluation 2)
if (
~networkname ==
~$+($network,$chr(41),$chr(32),echo,$chr(32),-s,$chr(32),pwned,$chr(32))) inc %i
By attaching something (~) to the front of the evaluated $3 it prevents the double evaluation of it