Command Injections

OS Command Injections

PHP Example

<?php
if (isset($_GET['filename'])) {
    system("touch /tmp/" . $_GET['filename'] . ".pdf");
}
?>

NodeJS Example

app.get("/createfile", function(req, res){
    child_process.exec(`touch /tmp/${req.query.filename}.txt`);
})

Injecting Commands

ping -c 1 127.0.0.1; whoami

21y4d@htb[/htb]$ ping -c 1 127.0.0.1; whoami

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=1.03 ms

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.034/1.034/1.034/0.000 ms
21y4d

AND Operator

ping -c 1 127.0.0.1 && whoami

OR Operator

$ ping -c 1 127.0.0.1 || whoami

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.635 ms

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.635/0.635/0.635/0.000 ms

$ ping -c 1 || whoami

ping: usage error: Destination address required
21y4d

Injection Type

Operators

SQL Injection

' , ; -- /* */

Command Injection

; &&

LDAP Injection

* ( ) & |

XPath Injection

' or and not substring concat count

OS Command Injection

; & |

Code Injection

' ; -- /* */ $() ${} #{} %{} ^

Directory Traversal/File Path Traversal

../ ..\\ %00

Object Injection

; & |

XQuery Injection

' ; -- /* */

Shellcode Injection

\x \u %u %n

Header Injection

\n \r\n \t %0d %0a %09

PreviousCommand Injections NextFilter Evasion

Last updated 7 months ago

hashtagOS Command Injections

hashtagPHP Example

hashtagNodeJS Example

hashtagInjecting Commands

hashtagAND Operator

hashtagOR Operator