Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • Command Substitution
  • Automated Exploitation
  • Bypassing Mitigations
  • Escaping Functions
  • Symbol Alternatives
  • Piping and Redirection
  • Edge Cases

Was this helpful?

  1. Web App Hacking
  2. Server Attacks

Command Injection

PreviousInsecure DeserializationNextPath Traversal

Last updated 2 years ago

Was this helpful?

Command Substitution

Command substitution can often prove to be a useful tool for exploiting command injection. For example, the following commands are equal to the ping 127.0.0.1 command:

  • ping `echo 127.0.0.1`

  • ping $(echo 127.0.0.1)

The sleep command is often useful for discovery. Payload example: $(sleep 5).

Note: Command substitution only works when your injection is in double-quotes (echo "$INJECTION_HERE") or not in quotes at all (echo $INJECTION_HERE). If your injection is in single quotes (echo '$INJECTION_HERE'), then command substitutions are not done, and you will need to break out of the single quotes first.

Automated Exploitation

You can use Commix for automated command injection testing:

Bypassing Mitigations

Escaping Functions

If there is a function that escapes arguments, such as PHP's escapeshellarg, then you can still have your input be some flag. This might lead to unexpected behaviour.

PHP's escapeshellcmd is even looser. It allows you to specify any number of parameters, but only one command. So you can't chain commands, but depending on the program, you might be able to get the program to behave in interesting ways by submitting certain flags and parameters as input.

Symbol Alternatives

There are often alternatives to common symbols:

  • $IFS is a replacement for a SPACE character.

  • $SHELL expands to the user’s preferred shell.

  • $@ expands to positional arguments, if there are any.

  • You may be able to use newlines (%0a after URL encoding) instead of semicolons and tabs instead of spaces.

Piping and Redirection

Look at the list of bash redirection and command operators for ideas to pipe and redirect output:

Edge Cases

If you know what command they're using inside a shell command execution function (such as exec()), make sure to experiment with edge cases on the command line. For example,exec(ping blah 127.0.0.1) is equal to exec(ping 127.0.0.1).

GitHub - commixproject/commix: Automated All-in-One OS Command Injection Exploitation Tool.GitHub
What are the shell's control and redirection operators?Unix & Linux Stack Exchange
Logo
Logo