From 84da5673a841c381f41c41bf207cd02ac6a8a697 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Wed, 10 Jun 2026 15:44:38 +0000 Subject: [PATCH] =?UTF-8?q?Add=20content=20from:=20More=20Evidence=20That?= =?UTF-8?q?=20Words=20Don=E2=80=99t=20Mean=20What=20We=20Thought=20They=20?= =?UTF-8?q?Mea...?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/pentesting-web/command-injection.md | 47 +++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/src/pentesting-web/command-injection.md b/src/pentesting-web/command-injection.md index 41a11880d6a..307c7dfbc4a 100644 --- a/src/pentesting-web/command-injection.md +++ b/src/pentesting-web/command-injection.md @@ -94,6 +94,50 @@ Notes: - Look for the same helper under other prefixes (e.g., `/mifs/c/aftstore/fob/`). - Arithmetic contexts treat unknown tokens as variable/array identifiers, so this bypasses simple metacharacter filters. +### Exposed configuration command parsers in appliance APIs + +Some appliances expose an **internal configuration bus** over HTTP. If a controller accepts one raw string and forwards it into a privileged parser that tokenizes data into fields like `command`, `module`, `xpath`, and `value`, treat it as a **command DSL** rather than as a normal form parameter. A dangerous shape is: + +- unauthenticated route → `handleMessage(message)` +- tokenization with `StringTokenizer` / `split()` into control fields +- support for privileged verbs such as `execute`, `test`, `import`, `export` +- attacker-controlled `xpath`/XML objects reaching a native or reflection-backed bridge + +### Hunting workflow + +1. **Patch-diff WAR/JAR files** and prioritize changed controllers and service handlers. +2. **Rebuild the full route** from the container context plus framework mappings (for example `/mics` + controller path + method path). +3. **List accepted verbs** and follow the one that maps to execution (`EXECUTE`, `RUN`, `TEST`, etc.). +4. If the patch replaces user input with a **hardcoded internal command**, reuse that constant as the payload template against the vulnerable build. + +### Real-world payload shape + +In Ivanti Sentry / MobileIron Sentry, the vulnerable `message` parameter was parsed into `command module xpath value` and the `execute` verb routed into an XML-backed native execution path. A minimal probe looked like: + +```http +POST /mics/api/v2/sentry/mics-config/handleMessage HTTP/1.1 +Content-Type: application/x-www-form-urlencoded + +message=execute system /configuration/system/commandexec 1uname -a +``` + +Why this shape matters: + +- `execute` selects the execution branch +- `system` selects the module handler +- `/configuration/system/commandexec` resolves the XML object +- `` carries the OS command +- successful exploitation returns command output inside the JSON/XML response wrapper + +### Patch-introduced constants can document the exploit grammar + +A useful reversing trick is to inspect the **patched** controller and look for newly hardcoded constants. If the fix stops trusting `message` and instead sends a fixed internal command such as `/bin/cat /sys/devices/virtual/dmi/id/product_name`, the constant often reveals the exact grammar expected by the vulnerable parser. In practice, replacing only the final command is often enough to build a working probe. + +### Quick triage ideas + +- Compare vulnerable vs patched behavior on the same route: old builds may return command output in JSON, while fixed builds often return a redirect (`302`) or a generic auth failure because the vendor added an Apache/front-end auth gate. +- When reviewing code, treat reflection helpers such as `executeNativeCommand()` or `excuteModuleMethod()` as **privilege bridges**: HTTP input may not call `/bin/sh` directly, but it can still reach native module methods that do. + ### Parameters Here are the top 25 parameters that could be vulnerable to code injection and similar RCE vulnerabilities (from [link](https://twitter.com/trbughunters/status/1283133356922884096)): @@ -287,5 +331,8 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject - [HTB: Gavel](https://0xdf.gitlab.io/2026/03/14/htb-gavel.html) - [CVE-2023-27350.py (auth bypass + print scripting automation)](https://github.com/horizon3ai/CVE-2023-27350/blob/main/CVE-2023-27350.py) - [Unit 42 – Bash arithmetic expansion RCE in Ivanti RewriteMap scripts](https://unit42.paloaltonetworks.com/ivanti-cve-2026-1281-cve-2026-1340/) +- [watchTowr Labs – Ivanti Sentry pre-auth OS command injection (CVE-2026-10520)](https://labs.watchtowr.com/more-evidence-that-words-dont-mean-what-we-thought-they-meant-ivanti-sentry-pre-auth-os-command-injection-cve-2026-10520/) +- [Ivanti Security Advisory – Ivanti Sentry CVE-2026-10520 / CVE-2026-10523](https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_US) +- [watchTowr Detection Artefact Generator – Ivanti Sentry RCE / Auth Bypass](https://github.com/watchtowrlabs/watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523) {{#include ../banners/hacktricks-training.md}}