Command Execution

To check a Command is Executed By CMD or powershell

(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell

Command injection

Command injection can be used to run arbitrary commands on a server.

Multiple payloads can be used to trigger this behaviour. For example, let’s say that the initial command is:

ping [parameter]

Where [parameter] is the value you provided in the form or in the URL.

If you look at how the command line works, you will find that there are multiple ways to add more commands:

• command1 && command2 that will run command2 if command1 succeeds.

• command1 || command2 that will run command2 if command1 fails.

• command1 ; command2 that will run command1 then command2.

• command1 | command2 that will run command1 and send the output of command1 to command2.

• ...

In this application, we can provide a parameter to command1, but there is no command2. What we are going to do is add our own command.

Instead of sending the [parameter] to the command:

ping 127.0.0.1

Where 127.0.0.1 is our [parameter]. We are going to send a malicious [parameter] that will contain another command:

ping 127.0.0.1 ; cat /etc/passwd

The application will think that 127.0.0.1 ; cat /etc/passwd is just a parameter to run command1. But we actually injected command2: cat /etc/passwd.

Now, what we want to do is run the command to score: /usr/local/bin/score [uuid]. We can just use the line above to run this command instead of cat /etc/passwd.

The developer fixed the issue from the previous one and has started filtering on some special characters.

However, the developer forgot that you can use `command` to run a command.

he developer fixed the previous issue and is now filtering on even more special characters.

However, the developer forgot that you can use $(command) to run a command.