Command Injection
Command Substitution
Command substitution can often prove to be a useful tool for exploiting command injection. For example, the following commands are equal to the ping 127.0.0.1 command:
ping `echo 127.0.0.1`ping $(echo 127.0.0.1)
The sleep command is often useful for discovery. Payload example: $(sleep 5).
Note: Command substitution only works when your injection is in double-quotes (echo "$INJECTION_HERE") or not in quotes at all (echo $INJECTION_HERE). If your injection is in single quotes (echo '$INJECTION_HERE'), then command substitutions are not done, and you will need to break out of the single quotes first.
Automated Exploitation
You can use Commix for automated command injection testing:
Bypassing Mitigations
Escaping Functions
If there is a function that escapes arguments, such as PHP's escapeshellarg, then you can still have your input be some flag. This might lead to unexpected behaviour.
PHP's escapeshellcmd is even looser. It allows you to specify any number of parameters, but only one command. So you can't chain commands, but depending on the program, you might be able to get the program to behave in interesting ways by submitting certain flags and parameters as input.
Symbol Alternatives
There are often alternatives to common symbols:
$IFSis a replacement for a SPACE character.$SHELLexpands to the user’s preferred shell.$@expands to positional arguments, if there are any.You may be able to use newlines (
%0aafter URL encoding) instead of semicolons and tabs instead of spaces.
Piping and Redirection
Look at the list of bash redirection and command operators for ideas to pipe and redirect output:
Edge Cases
If you know what command they're using inside a shell command execution function (such as exec()), make sure to experiment with edge cases on the command line. For example,exec(ping blah 127.0.0.1) is equal to exec(ping 127.0.0.1).
Last updated
