Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Cmd Hijack - a command/argument confusion with path traversal in cmd.exe
Julian HoroszkiewiczPosted 5 Years Ago- The CMD in Windows is a shell, similar to the terminal in Linux-land. It is common (but difficult to secure) to use a CMD command, with user supplied input, and get the result.
- In theory, if you escape all of the insecure characters (in bash these would be $,`,; and others), then this can be done securely. However, this article explains a bypass for this!
- The example used is the ping command with an IP address as the IP to ping. So, normally, this looks like the following:
cmd.exe /c "ping 127.0.0.1". - This is where the bypass comes in: by confusing the CMD interpreter, the argument can be used to use another program. Here's an example that opens the calculator:
cmd.exe /c "ping 127.0.0.1/../../../../../../../../../../windows/system32/calc.exe". YES! Even though the ping is the specified command, this opens a calculator! - The rest of the article goes into why the above feature works the way it does and how it was discovered in the reverse engineering process.
