🥚Exploitation
Command Injection Detection
Let's imagine a host checker 👍
If we eneter our localhost it pings it and tells us if the host is alive:
We can easily imagine that the backend does something like that:
Here are some important operators for command injection:
Injection Operator | Injection Character | URL-Encoded Character | Executed Command |
Semicolon |
|
| Both |
New Line |
| Both | |
Background |
|
| Both (second output generally shown first) |
Pipe |
|
| Both (only second output is shown) |
AND |
|
| Both (only if first succeeds) |
OR |
|
| Second (only if first fails) |
Sub-Shell |
|
| Both (Linux-only) |
Sub-Shell |
|
| Both (Linux-only) |
To lead a successful command injection We would write our expected input (e.g., an IP), then use any of the above operators, and then write our new command.
We can imagine an injection like this with a semicolon to escape the intended functionnality:
Let's see in our terminal if it works:
But on the web app it refuses our input
So we open the network tab and click again on the check button:
no new network requests were made when we clicked on the Check
button, yet we got an error message. This indicates that the user input validation is happening on the front-end
.
front-end validations are usually not enough to prevent injections, as they can be very easily bypassed by sending custom HTTP requests directly to the back-end.
Bypassing Front-End Validation
Send to burp and input the payload there:
We could also play around with other operators ->
But if we try inputting the OR operator:
It will pass but will not exec the whoami since the first command returns exit code 0
indicating successful execution so it would only attempt to execute the other command if the first command failed and returned an exit code 1
.
So we can try breaking the original input:
In our terminal it does not work but if we input || whoami
in burp:
Here is a list of such operators:
Injection Type | Operators |
SQL Injection |
|
Command Injection |
|
LDAP Injection |
|
XPath Injection |
|
OS Command Injection |
|
Code Injection |
|
Directory Traversal/File Path Traversal |
|
Object Injection |
|
XQuery Injection |
|
Shellcode Injection |
|
Header Injection | |
Try using the remaining three injection operators (new-line, &, |), and see how each works and how the output differs. Which of them only shows the output of the injected command?
Last updated