🥦 kościelniak.pro

Appearance

On this page

Command Injection

Command injection is the abuse of an application's behaviour to execute commands on the operating system. The webserver will process this code and execute it under the privileges and access controls of the user who is running that application (the app is running on a webserver by user).

Command injection is also often known as Remote Code Execution because of the ability to remotely execute code within an application. These vulnerabilities are often the most lucrative to an attacker because it means that the attacker can directly interact with the system, read files, data, etc.

Severity of Command Injection

  • One of the top ten vulnerabilities reported by Contrast Security AppSec., 2019i ntelligence report
  • the OWASP framework constantly proposes vulnerabilities of this nature as one of the top ten vulnerabilities of a web application

Detecting Command Injection

Programming languages often allow to make system calls on the OS, eg. taking input from file and searching for an entry into a file:

php
<?php
$songs = "/var/www/html/songs"

if (isset $_GET["title"])) {
	$title = $_GET["title"];

	$command = "grep $title /var/www/html/songtitle.txt"`;` -
	if ($search == "") {
			$return "<p>The requested song</p><p> $title does </p><b>not</b><p> exist!</p>";
	} else {
		$return "<p>The requested song</p><p> $title does </p><b>exist!</b>";
	}

	echo $return;
?>

[!tip] It's just an example

The content of songtitle.txt would typically be kept in the DB.

Applications that use user input to populate system commands with data can often be combined in unintended behaviour, eg. with the shell operators ;& and && we can combine system commands and execute all of them.

Command Injection can be detected in mostly one of two ways:

  1. Blind command injection
    • no direct output from the application when testing payloads
    • we need to investigate the app behaviour to determine if the payload was successful
  2. Verbose command injection
    • we have a direct feedback from the app once we tested a payload, e.g. with testing for whoami cmd

Detecting Blind Command Injection

Blind command injection is when command injection occurs; however, there is no output visible, so it is not immediately noticeable.

For this type of command injection, we may need to use payloads that will cause some time delay. For example, the ping and sleep commands are significant payloads to test with. Using ping as an example, the application will hang for x seconds in relation to how many pings you have specified.

Another method of detecting blind command injection is by forcing some output. This can be done by using redirection operators such as >, e.g., we can tell the web application to execute commands such as whoami and redirect that to a file. We can then use a command such as cat to read this newly created file’s contents.

The curl command is a great way to test for Command Injection, because we are able to use it to deliver data to and from an application in the payload:

sh
$ curl http://vulnerable.app/process.php%3Fsearch%3DThe%20Beatles%3B%20whoami`

Detecting Verbose Command Injection

Verbose command injection is when the application gives you feedback or output as to what is happening or being executed, e.g., the output of commands such as ping or whoami is directly displayed on the web application.

Useful payloads

Linux

  • whoami
  • ls - we may be able to find files such as configuration files, environment files (tokens and application keys), and many more valuable things.
  • ping - it will invoke the application to hang
  • sleep - it will invoke the application to hang, useful if the machine does not have ping installed.
  • nc - netcat can be used to spawn a reverse shell onto the vulnerable application. You can use this foothold to navigate around the target machine for other services, files, or potential means of escalating privileges

Windows

  • whoami
  • dir
  • ping
  • timeout - similarly to Linux' sleep it's useful if the attacked machine does not have ping installed

Preventing Command Injection

  • Don't use vulnerable fns, like PHPs exec, passthru, system
  • Filter and sanitise inputs by specifying formats or types of data that users can submit
    • removing special characters from the input content (>, &, /)
    • using <input pattern="[0-9+]"" />
    • using PHPs filter_input

Bypassing filters

We can abuse the logic behind an application to bypass filters, eg. an application may strip out quotation marks, but we can instead use the hexadecimal value of this to achieve the same result:

php
$payload = "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"