Command Execution 01 – Commands injection
Commands injection can be used to run arbitrary commands on a server. Multiple payloads can be used to trigger this behaviour. For example, let’s say that the initial command is:
|
1 |
ping [parameter] |
Where [parameter] is the value you provided in the form or in the URL.
If you look at how the command line works, you can find that there is multiple way to add more commands:
- command1 && command2 that will run command2 if command1 succeeds.
- command1 || command2 that will run command2 if command1 fails.
- command1 ; command2 that will run command1 then command2 .
- command1 | command2 that will run command1 and send the output of command1 to command2.
- …
In this application, we can provide a parameter to command1, but there is no command2. What we are going to do is add our own command. Instead of sending the [parameter] to the command:
|
1 |
ping 127.0.0.1 |
Where 127.0.0.1 is our [parameter]. We are going to send a malicious [parameter] that will contain another command:
|
1 |
ping <b>127.0.0.1 ; cat /etc/passwd</b> |
The application will think that 127.0.0.1 ; cat /etc/passwd is just a parameter to run command1. But we actually injected command2: cat /etc/passwd.
Now, what we want to do is run the command to score: /usr/local/bin/score [uuid]. We can just use the line above to run this command instead of cat /etc/passwd.
Command Execution 02
Tại ví dụ này, coder đã chặn một vài ký tự đặc biệt nhưng quên không chặn
Chúng ta inject command trong cặp command`
|
1 |
https://ptl-c1f74100-1af698dc.libcurl.st/?ip=`/usr/local/bin/score%2078a02cad-6b9e-4f38-8b26-2176490366c0` |
Command Execution 03
In this challenge, the developer fixed the issue from the previous one and filter even more special characters.
However, the developer forgot that you can use $(command) to run a command.
|
1 |
https://ptl-ad8549f0-5e3028b7.libcurl.st/?ip=$(/usr/local/bin/score%2078a02cad-6b9e-4f38-8b26-2176490366c0) |
1 giờ ago
