You can use BASH_FUNC_*%% to initialize an anonymous function according to the value of the environment variable and give it a name. The following sample adds myfunc function to the bash context:
LD_PRELOAD is an optional environmental variable containing one or more paths to shared libraries, or shared objects, that the loader will load before any other shared library including the C runtime library libc.so.
In Linux C, functions can be declared with attributes within the function definition. This is done by adding the desired attributes to the function definition. There are two attributes of interest, constructor and destructor. A function with the constructor attribute will run before the program executes main(). For shared objects, this would occur at load time. A function declared with the destructor attribute should run once main() has returned or exit() is called.
PERLLIB and PERL5LIB set a list of directories in which to look for Perl library files before looking in the standard library. If PERL5LIB is defined, PERLLIB is not used.
PERLLIB and PERL5LIB can be used to execute arbitrary commands if there is a way to write a malicious Perl module to a file system:
PYTHONWARNINGS is equivalent to specifying the -W option that is used for warning control. The full form of argument is action:message:category:module:line.
Warning control triggers the import of an arbitrary Python module if the specified category contains a dot:
# /Lib/warnings.py# ...def_getcategory(category):ifnot category:returnWarningif'.'notin category:import builtins as m klass = categoryelse: module, _, klass = category.rpartition('.')try: m =__import__(module, None, None, [klass])exceptImportError:raise_OptionError("invalid module name: %r"% (module,))fromNone# ...
PYTHONWARNINGS can be used to execute arbitrary commands if there is a way to write a malicious Python module to a file system:
However, you can use the antigravity module from Python’s standard library to run arbitrary commands. Running import antigravity will immediately open a browser to the xkcd comic that joked that import antigravity in Python would grant you the ability to fly. The antigravity uses another module from the standard library called webbrowser to open a browser. This module checks PATH for a large variety of browsers, including mosaic, opera, skipstone, konqueror, chrome, chromium, firefox, links, elinks and lynx. It also accepts an environment variable BROWSER that can be used to specify which process should be executed. It is not possible to supply arguments to the process in the environment variable and the xkcd comic URL is the one hard-coded argument for the command:
$<BROWSER>https://xkcd.com/353/
One way to execute arbitrary commands is to leverage Perl which is commonly installed on systems and is even available in the standard Python docker image. However, the perl binary can not itself be used. This is because the first and only argument is the xkcd comic URL. The comic URL argument will cause an error and the process to exit without the PERL5OPT environment variable being used.
Fortunately, when Perl is available it is also common to have the default Perl scripts available, such as perldoc and perlthanks. These scripts will also error and exit with an invalid argument, but the error in this case happens later than the processing of the PERL5OPT environment variable. This means it is possible to leverage the Perl environment variables to execute commands.
Using /proc/self/environ is only possible if the content is syntactically valid JavaScript. To do this, you need to be able to create an environment variable and make it appear first in the contents of /proc/self/environ.
Since the value of the first environment variable ends with a single-line comment //, any newlines in other environment variables will cause a syntax error. Using multiline comments /* will not solve the problem, as they must be closed to be syntactically valid. In such cases, it is necessary to overwrite the value of the variable that contains the newline character.
RUBYOPT can be used to execute arbitrary commands if there is a way to write a malicious Ruby library to a file system. -r option causes Ruby to load the library using require but this is limited to files with an extension of .rb or .so:
/etc/environment contains environment variables specifying the basic environment variables for new shells. However, it can be used by other programs. Every executed job in the Linux task scheduler (cron) imports this file, and if there is a job that is executed by a user (e.g. root), you can abuse /etc/environment to execute arbitrary code on behalf of that user. For example, you can use LD_PRELOAD to gain code execution.
Brace expansion is a mechanism by which arbitrary strings may be generated. Patterns to be brace expanded take the form of an optional preamble, followed by either a series of comma-separated strings or a sequence expression between a pair of braces, followed by an optional postscript. The preamble is prefixed to each string contained within the braces, and the postscript is then appended to each resulting string, expanding left to right. For instance:
Command substitution allows the output of a command to replace the command itself. Command substitution occurs when a command is enclosed as follows:
$(command)`command`
Bash performs the expansion by executing the command in a subshell environment and replacing the command substitution with the standard output of the command.
There are several ways to work with encoded strings:
$'string' words:
Words of the form $'string' are treated specially. The word expands to string, with backslash-escaped characters replaced as specified by the ANSI C standard.
echo provides -e option to interpret backslash escapes. Note the recognized sequences depend on a version of echo, as well as the -e option may not be present at all.
If you have parameter injection in a cli command that has been passed sensitive parameters, such as tokens or passwords, you can try to leak the passed secret with ps x -w.
# you can inject arbitrary parameters to <injection here> part$command--userusername--tokenSECRET_TOKEN<injectionhere># send the vulnerable command to background with &# and catch the parameters with ps x -w$command--userusername--tokenSECRET_TOKEN&psx-wPIDTTYSTATTIMECOMMAND1337?S0:00/usr/bin/command--userusername--tokenSECRET_TOKEN1574?R0:00psx-w
This can be useful if the cli logs hide sensitive settings or sensitive data is not stored in the environment.
This can be useful if the cli logs hide sensitive data or sensitive data is not stored in the environment (for instance, GitHub Actions provide variable interpolation ${{...}} for injecting secrets, and you can't give access to secrets during execution). Another case is when you have blind injection and can redirect the output of ps x -w to a file that you have access to.
List of commands
Combine the execution of multiple commands using the operators ;, &, &&, or ||, and optionally terminated by one of ;, &, or .
$command1; command2$command1&command2$command1&&command2$command1||command2# only if command1 fail$command1\ncommand2
Moreover, you can use pipelines for the same purposes:
The basic form of parameter expansion is ${parameter}; the value of the parameter is substituted:
$a="es"; echo"t${a}t"
More complex forms of parameter expansions allow you to perform various operations. For instance, you can extract substrings and use them to create payloads:
Bash automatically assigns default values to many variables, such as HOME or PATH. Some of these variables can be used to create payloads. For instance, you can use IFS variable as a separator (this is possible since IFS contains a list of characters that separate fields):
$cat$IFS/etc/passwd$echo${IFS}"test"
Moreover, you can override IFS and use any character as a separator:
# using single quotes in command names$w'h'o'am'i# using double quotes in command names$w"h"o"am"i# using backslashes and slahes in command names$w\ho\am\i$/\b\i\n/////s\h
