maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update command-injection.md

Browse Source
This commit is contained in:
SirBroccoli 2025-10-04 11:06:35 +02:00 committed by GitHub
parent 1ccf400176
commit 5b9ec7fcd6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 1 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/pentesting-web/command-injection.md
View File

@ -189,13 +189,6 @@ topicurl=<handler>&param=-n
topicurl=setEasyMeshAgentCfg&agentName=;id; topicurl=setEasyMeshAgentCfg&agentName=;id;
``` ```
Hardening and detection:
- Reject inputs that start with `-` and enforce strict allowlists and types (IP, MAC, SSID, etc.).
- Always pass user data after a literal `--` where supported and never allow extra flags from user-controlled fields.
- Prefer safe APIs (no shell); for wrappers, construct fixed argv templates with no user-controlled flags.
- Look for unauthenticated hits to centralized CGI endpoints (e.g., `/cgi-bin/cstecgi.cgi`) with selector parameters and values beginning with `-`.
## Brute-Force Detection List ## Brute-Force Detection List