COMMAND INJECTION

Command Injection is a vulnerability (Also known as Remote Code Execution(RCE)) where an attacker is able to execute commands through an application that will execute on a target machine on the operating system, using the privileges that the application is running with. For example, achieving command injection on a web server running as root will execute commands on the target with root privileges. Command Injection vulnerabilities are dangerous because they give an attacker the ability to directly interact with a vulnerable system, allowing the attacker to access sensitive data. 

Discovering Command Injections

The Command Injection vulnerability exists because applications use functions in programming languages to pass data to and to make system calls on the machines OS. For example, the below code takes data from a user in an input field named $title to search a directory for a song title.


  1. The application stores MP3 files in a directory contained on the OS.
  2. The user inputs the title they wise to search for and it's stored in the $title variable.
  3. The data within the $title variable is passed to the command grep to search a text file named songtitle.txt .
  4. The output of this search of songtitle.txt will inform the use whether this song exists or not. 
An attacker could instead abuse this application by injecting their own commands for the application to execute. Rather than using grep to search for a song title, they could try and read sensitive data. 

Discovering a Command Injection

Command injection can be detected in mostly one of two ways:
  • Blind Command Injection: There is no output from the application when testing payloads. An attacker will have to investigate the behaviours of an application to determine if a payload was successful.
  • Verbose Command injection: There is direct feedback from the application once a payload is tested.

Detecting Blind Command Injection
With Blind Command Injection, we cannot confirm a successful vulnerability by simply viewing the output from an application. Instead we can use the ping or sleep commands. For example, using ping , the application will hang for x seconds in relation to how many pings specified. 

Another method of detecting blind command injection is by forcing some output. This can be done by using redirection operators such as > . For example, we can execute whoami , redirect to a file and cat to read the contents of a file.

Testing command injection this way is often complex and requires experimentation, especially as Linux and Windows commands are different. 

The curl command can be used to test for command injection by using curl to deliver data to and from an application in a payload. For example, the below code snippet.
curl http://example.app/process.php%3Fsearch%3DThe%20Beatles%3B%20whoami .

Detecting Verbose Command Injection
Detecting Verbose Command Inject is potentially easier than detecting Blind Command Injection. Verbose Command Injection is when the application gives feedback or output as to what is happening or being executed. 


Useful Payloads for Linux:
  • whoami: See which user is running the application.
  • ls: Lists content of current directory.
  • ping: This command will invoke the application to hang.
  • sleep: This command will invoke the application to sleep, useful when the machine does not have sleep installed.
  • nc: Netcat can be used to spawn a reverse shell on the target machine.

Useful Payloads for Windows
  • whoami: See which user is running the application.
  • dir: Lists content of current directory.
  • ping: This command will invoke the application to hang.
  • timeout: This command will invoke the application to sleep, useful when the machine does not have sleep installed.

Remediating Command Injection

Command injection can be prevented in numerous ways. Everything from minimal use of potentially dangerous functions or libraries in programming languages, to filtering users input.

Vulnerable Functions
In PHP, many functions interact with the OS to execute commands via shell, these include:
  • exec() : Calling a system command
  • system() : Executing a system command and immediately displaying the output
  • passthru() : Executing a system command which we want the raw return form, normally binary.

This below snippet of PHP code only accepts input that is numerical:
  1. Only allows a specific pattern of characters (digits 0-9).
  2. The application will only then execute numerical data.


Input sanitisation
Input sanitisation is when an application specifies the formats or types of data a user can input. For example, an application may exclude certain file types or characters such as > , & and / .

The below code snippet uses the filter_input function to check whether any data submitted via an input form is a number or not. It must be a number to be considered valid input.




Bypassing Filters
One method of bypassing these filters is by using the hexadecimal values of the characters we wish to use as part of our payload. See here for examples.


Command Injection Practical

First we test the input box with an intended input (127.0.0.1) and we can see that the web server is responding with a ping to that IP adgress. We then append && whoami to create our payload. We are then shown which user is logged in to the machine.


Same command as above, but instead looking for flag.txt



Comments

Post a Comment

Popular posts from this blog

STARTUP

Image
  Startup is a TryHackMe room where there is a fictional new start up company called Spice Hut, their website is under development and they have some security concerns that they wish to test. I began by heading to the website and began manual enumeration of the site. The site had very minimal functionality, I checked the source code and found nothing of interest. There is a contact link, and I was hoping to be able to get an email address by following it, but it was empty. ' I then performed a Gobuster scan to look for any pages that I may be able to access. There is a page with the name files that is of particular interest.  Here I can see there is an FTP folder, upon opening it I can see that it is empty. I made a note of this as I may be able to upload files to it at a later stage, I then opened important.jpg which seemed to be of no particular interest, and notice.txt had the below text. I made a note of the name Maya, which could be a potential user or username in the future.
Read more

NMAP POST PORT SCANS

In this post we will talk about the steps that follow port-scanning, including service detection, OS detection, Nmap scripting engine and saving the scan results. Service Detection Once Nmap discovers open ports, they can be probed to detect running services and therefore for vulnerabilities. Adding the -sV option to an Nmap scan will collect and determine service and version information for the open ports. --version-intensity LEVEL will specify the intensity of the scan, with 0 being lowest and 9 being highest. Using -sV will force Nmap to use the TCP 3 way handshake. This is because Nmap needs to fully communicate with the target to get information and therefore cannot use the stealth scan -sS . NOTE : In order to run -sV we need root privileges.  OS Detection Nmap can detect the OS based on its behaviour and any telltale signs in its responses by using the -O option. Whilst the OS detection is very convenient, many factors affect its accuracy. In order to have an accurate
Read more

BURPSUITE IN-DEPTH

Image
NOTE: This post will be a much deeper and in-depth dive in to some of the functionality of Burp Suite. If you need a quicker overview, please visit my  Burp Suite Basics  post.  Repeater The repeater function of Burp Suite allows us to take a request captured by Proxy, edit it and send the same request repetitively. This makes repeater ideal for any manual poking around at an endpoint. Basic Usage: The repeater interface can be split in the 6 main sections. Refer to the image above: List of requests that are going through Repeater. Controls for the current request, these allow us to send/cancel a hanging request and go forwards/backwards in a request history. Request/Response view. Requests are edited in the Request view and Responses will show up in the Response view. Allows us to change the layout for the Request and Response view. The inspector allows us to break requests apart and analyse and edit them in a more intuitive way than the raw editor. The IP address or domain that is ou
Read more