Command Injection vulnerabilities are a class of application security issue where an attacker can cause the application to execute an underlying operating system command. For that reason it’s generally a high impact issue. It can be exploited simply by chaining commands along with the expected input by using shell control characters such as:
- Kali Linux Cheat Sheet NMAP COMMAND DESCRIPTION nmap –v –sS –A –T4 target Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services nmap -v -sS -p–A -T4 target As above but scans all TCP ports (takes a lot longer).
- SYSTEM INFORMATION. # Display Linux system information uname -a # Display kernel release.
Developers have a variety of reasons why they might want their web applications to execute underlying operating system commands. One example could be an application that allows a user to check if a host is online by pinging its IP address. The URL for this function could look something like this:
and the output on the screen could be:
Sure, Linux command line tools have help features, but they can be pretty cumbersome. That’s why cheat sheets exist, folks, and they can be a real life saver. Well, maybe a cheat sheet won’t save your life, but it can certainly save you oodles of time, headaches, frustration, and invalid commands. Command Injection. Test HTTP options using curl. Meterpreter Linux Reverse Payload; Meterpreter Cheat Sheet. Upload file c: windows. See full list on owasp.org.
However if user input is insecurely passed to this function a user could chain a command on the end, such as ” && id” and this would be executed along with the main command, changing the input in our example to this:
and so the output on the screen would be:
As you might guess from above, the user gains the permissions that the affected application has, so if it’s running as www-data or root you’d get that privilege level! An easy way to compromise a box and potentially allow an attacker to take over the webserver, deface the application or steal confidential data!
However things get more complicated for the attacker is the system does not show the output in the application itself, it might just silently execute the command and output something generic like “Success” or “done”. If this is the case an attacker can still determine the existance of the vulnerability and blindly exploit it through inference.
For example imaging chaining to the end of the input the linux command “sleep”, such as:
With this request the output, if vulnerable, would come through as expected with the “Success” message, however it would take a noticable about of time to return – something around 10 seconds longer than without the payload. To determine if this was just a laggy server or not you could try multiple different delay levels to see if the received delay matches the expected amount. So sleep 10 causes approximately a 10 second delay and sleep 30 causes approximately a 30 second delay, reducing the likelihood that this is a false positive.
At this point you’ve got a successful Blind Command Injection vulnerability! Before I get on to how to utilise that as an attacker however, there’s one more type to deal with. Blind injection with out-of-band detection. This class occurs is a vulnerability is vulnerable but no change in output can be perceived through the application, for example if the application executes the request in a new thread, so delaying the server through the “sleep” command doesn’t work (or at least can’t be perceived through the application itself).
In this case we can get our “noticable change” by calling out to another server and monitoring that server for requests. For example you could try a payload like the following:
This would cause an affected (Linux) server to call out to the attacker’s machine. The wget command online requests the server download a web page. Therefore the attacker could see that the payload worked successfully as their logs would show a GET request to the file: /?attacksuccessful
Now to turn that into a viable attack payload to, for example, steal confidential files the attacker could try chaining the contents of the file in the request to the attackers server! A payload like this would be effective:
Here the attacker is taking the contents of the confidential file /etc/password, encoding it with base64 so that it’s possible to transmit it in a URL and then using the wget command again to send that file in a HTTP GET request to the atttacker controlled server! One thing to remember is that the base64 command will line wrap by default after 76 characters, but you can use -w 0 parameter to disable this, like this:
As you can imagine, this is a pretty bad vulnerability which I’ve seen multiple times during Penetration Testing engagements but I’ve seen little in the way of content online about the issue, so I thought I’d throw a few notes down in a post. The important part though: there are specific ways to secure command execution depending on your underlying language and programming framework however one thing that’ll work for general cases is effective user input filtering! Luckily, I’ve written about that here!
Again, the minimum characters to consider dangerous in regards to this issue are:
Payloads can be incredibly varied as the attacker has an awful lot of flexibility, but a few simple ones are things like:
The Following Penetration Testing Cheat Sheet Linux System is for usage during local enumeration,post exploitation or when performing command injection etc.
COMMAND | DESCRIPTION |
---|---|
netstat -tulpn | Show Linux network ports with process ID’s (PIDs) |
watch ss -stplu | Watch TCP, UDP open ports in real time with socket summary. |
lsof -i | Show established connections. |
macchanger -m MACADDR INTR | Change MAC address on KALI Linux. |
ifconfig eth0 192.168.2.1/24 | Set IP address in Linux. |
ifconfig eth0:1 192.168.2.3/24 | Add IP address to existing network interface in Linux. |
ifconfig eth0 hw ether MACADDR | Change MAC address in Linux using ifconfig. |
ifconfig eth0 mtu 1500 | Change MTU size Linux using ifconfig, change 1500 to your desired MTU. |
dig -x 192.168.1.1 | Dig reverse lookup on an IP address. |
host 192.168.1.1 | Reverse lookup on an IP address, in case dig is not installed. |
dig @192.168.2.2 domain.com -t AXFR | Perform a DNS zone transfer using dig. |
host -l domain.com nameserver | Perform a DNS zone transfer using host. |
nbtstat -A x.x.x.x | Get hostname for IP address. |
ip addr add 192.168.2.22/24 dev eth0 | Adds a hidden IP address to Linux, does not show up when performing an ifconfig. |
tcpkill -9 host google.com | Blocks access to google.com from the host machine. |
echo '1' > /proc/sys/net/ipv4/ip_forward | Enables IP forwarding, turns Linux box into a router – handy for routing traffic through a box. |
echo '8.8.8.8' > /etc/resolv.conf | Use Google DNS. |
System Information Commands
Useful for local enumeration.
COMMAND | DESCRIPTION |
---|---|
whoami | Shows currently logged in user on Linux. |
id | Shows currently logged in user and groups for the user. |
last | Shows last logged in users. |
mount | Show mounted drives. |
df -h | Shows disk usage in human readable output. |
echo 'user:passwd' | chpasswd | Reset password in one line. |
getent passwd | List users on Linux. |
strings /usr/local/bin/blah | Shows contents of none text files, e.g. whats in a binary. |
uname -ar | Shows running kernel version. |
PATH=$PATH:/my/new-path | Add a new PATH, handy for local FS manipulation. |
history | Show bash history, commands the user has entered previously. |
Redhat / CentOS / RPM Based Distros
COMMAND | DESCRIPTION |
---|---|
cat /etc/redhat-release | Shows Redhat / CentOS version number. |
rpm -qa | List all installed RPM’s on an RPM based Linux distro. |
rpm -q --changelog openvpn | Check installed RPM is patched against CVE, grep the output for CVE. |
YUM Commands
Package manager used by RPM-based systems, you can pull some useful information about installed packages and or install additional tools.
COMMAND | DESCRIPTION |
---|---|
yum update | Update all RPM packages with YUM, also shows whats out of date. |
yum update httpd | Update individual packages, in this example HTTPD (Apache). |
yum install package | Install a package using YUM. |
yum --exclude=package kernel* update | Exclude a package from being updates with YUM. |
yum remove package | Remove package with YUM. |
yum erase package | Remove package with YUM. |
yum list package | Lists info about yum package. |
yum provides httpd | What a packages does, e.g Apache HTTPD Server. |
yum info httpd | Shows package info, architecture, version etc. |
yum localinstall blah.rpm | Use YUM to install local RPM, settles deps from repo. |
yum deplist package | Shows deps for a package. |
yum list installed | more | List all installed packages. |
yum grouplist | more | Show all YUM groups. |
yum groupinstall 'Development Tools' | Install YUM group. |
Debian / Ubuntu / .deb Based Distros
COMMAND | DESCRIPTION |
---|---|
cat /etc/debian_version | Shows Debian version number. |
cat /etc/*-release | Shows Ubuntu version number. |
dpkg -l | List all installed packages on Debian / .deb based Linux distro. |
Linux User Management
COMMAND | DESCRIPTION |
---|---|
useradd new-user | Creates a new Linux user. |
passwd username | Reset Linux user password, enter just passwd if you are root. |
deluser username | Remove a Linux user. |
Linux Decompression Commands
How to extract various archives (tar, zip, gzip, bzip2 etc) on Linux and some other tricks for searching inside of archives etc.
COMMAND | DESCRIPTION |
---|---|
unzip archive.zip | Extracts zip file on Linux. |
zipgrep *.txt archive.zip | Search inside a .zip archive. |
tar xf archive.tar | Extract tar file Linux. |
tar xvzf archive.tar.gz | Extract a tar.gz file Linux. |
tar xjf archive.tar.bz2 | Extract a tar.bz2 file Linux. |
tar ztvf file.tar.gz | grep blah | Search inside a tar.gz file. |
gzip -d archive.gz | Extract a gzip file Linux. |
zcat archive.gz | Read a gz file Linux without decompressing. |
zless archive.gz | Same function as the less command for .gz archives. |
zgrep 'blah' /var/log/maillog*.gz | Search inside .gz archives on Linux, search inside of compressed log files. |
vim file.txt.gz | Use vim to read .txt.gz files (my personal favorite). |
upx -9 -o output.exe input.exe | UPX compress .exe file Linux. |
CWE-78: OS CommandInjection
Linux Compression Commands
COMMAND | DESCRIPTION |
---|---|
zip -r file.zip /dir/* | Creates a .zip file on Linux. |
tar cf archive.tar files | Creates a tar file on Linux. |
tar czf archive.tar.gz files | Creates a tar.gz file on Linux. |
tar cjf archive.tar.bz2 files | Creates a tar.bz2 file on Linux. |
gzip file | Creates a file.gz file on Linux. |
Linux File Commands
COMMAND | DESCRIPTION |
---|---|
df -h blah | Display size of file / dir Linux. |
diff file1 file2 | Compare / Show differences between two files on Linux. |
md5sum file | Generate MD5SUM Linux. |
md5sum -c blah.iso.md5 | Check file against MD5SUM on Linux, assuming both file and .md5 are in the same dir. |
file blah | Find out the type of file on Linux, also displays if file is 32 or 64 bit. |
dos2unix | Convert Windows line endings to Unix / Linux. |
base64 < input-file > output-file | Base64 encodes input file and outputs a Base64 encoded file called output-file. |
base64 -d < input-file > output-file | Base64 decodes input file and outputs a Base64 decoded file called output-file. |
touch -r ref-file new-file | Creates a new file using the timestamp data from the reference file, drop the -r to simply create a file. |
rm -rf | Remove files and directories without prompting for confirmation. |
Samba Commands
Connect to a Samba share from Linux.
Breaking Out of Limited Shells
Credit to G0tmi1k for these (or wherever he stole them from!).
Pentesting Cheatsheet | Hausec
The Python trick:
Misc Commands
COMMAND | DESCRIPTION |
---|---|
init 6 | Reboot Linux from the command line. |
gcc -o output.c input.c | Compile C code. |
gcc -m32 -o output.c input.c | Cross compile C code, compile 32 bit binary on 64 bit Linux. |
unset HISTORYFILE | Disable bash history logging. |
rdesktop X.X.X.X | Connect to RDP server from Linux. |
kill -9 $$ | Kill current session. |
chown user:group blah | Change owner of file or dir. |
chown -R user:group blah | Change owner of file or dir and all underlying files / dirs – recersive chown. |
chmod 600 file | Change file / dir permissions, see [Linux File System Permissons](#linux-file-system-permissions) for details. |
Clear bash history:
Linux File System Permissions
VALUE | MEANING |
---|---|
777 | rwxrwxrwx No restriction, global WRX any user can do anything. |
755 | rwxr-xr-x Owner has full access, others can read and execute the file. |
700 | rwx------ Owner has full access, no one else has access. |
666 | rw-rw-rw- All users can read and write but not execute. |
644 | rw-r--r-- Owner can read and write, everyone else can read. |
600 | rw------- Owner can read and write, everyone else has no access. |
Penetration Testing Cheat Sheet for Linux File System
DIRECTORY | DESCRIPTION |
---|---|
/ | / also know as “slash” or the root. |
/bin | Common programs, shared by the system, the system administrator and the users. |
/boot | Boot files, boot loader (grub), kernels, vmlinuz |
/dev | Contains references to system devices, files with special properties. |
/etc | Important system config files. |
/home | Home directories for system users. |
/lib | Library files, includes files for all kinds of programs needed by the system and the users. |
/lost+found | Files that were saved during failures are here. |
/mnt | Standard mount point for external file systems. |
/media | Mount point for external file systems (on some distros). |
/net | Standard mount point for entire remote file systems – nfs. |
/opt | Typically contains extra and third party software. |
/proc | A virtual file system containing information about system resources. |
/root | root users home dir. |
/sbin | Programs for use by the system and the system administrator. |
/tmp | Temporary space for use by the system, cleaned upon reboot. |
/usr | Programs, libraries, documentation etc. for all user-related programs. |
/var | Storage for all variable files and temporary files created by users, such as log files, mail queue, print spooler. Web servers, Databases etc. |
Linux Interesting Files / Dir’s
Places that are worth a look if you are attempting to privilege escalate / perform post exploitation.
DIRECTORY | DESCRIPTION |
---|---|
/etc/passwd | Contains local Linux users. |
/etc/shadow | Contains local account password hashes. |
/etc/group | Contains local account groups. |
/etc/init.d/ | Contains service init script – worth a look to see whats installed. |
/etc/hostname | System hostname. |
/etc/network/interfaces | Network interfaces. |
/etc/resolv.conf | System DNS servers. |
/etc/profile | System environment variables. |
~/.ssh/ | SSH keys. |
~/.bash_history | Users bash history log. |
/var/log/ | Linux system log files are typically stored here. |
/var/adm/ | UNIX system log files are typically stored here. |
/var/log/apache2/access.log /var/log/httpd/access.log | Apache access log file typical path. |
/etc/fstab | File system mounts. |