Command Injection Vulnerabilities Exploitation Case Study
Introduction:
This article provides an overview of how command injection vulnerabilities can be identified and exploited. We will discuss two different types of Command injection vulnerabilities. The first being standard command injection with responses shown to the attacker and the second one being blind command injection. The standard Command Injection vulnerabilities with command output in response are easy to discover whereas Blind Command Injection vulnerabilities are slightly tricky and it's important to understand the techniques to discover and exploit them.
Learn Secure Coding
Exploiting Simple Command Injection
The following example shows a simple Command Injection vulnerability, where the web application gets user input and executes it as a command on the underlying operating system.
$cmd=$_GET['cmd'];
system($cmd);
?>
As we can notice from the preceding code snippet, the user input is passed to the php system() function, which is used to execute operating system commands in PHP.
Now, one can simply use the following URL with arbitrary commands to exploit this application.
Let us consider the following URL of an application, which performs base64 encoding of user input.
When the preceding URL is accessed, the application responds with the following output, confirming that commands can be executed on the underlying host.
Exploiting Command Injection by Terminating Existing Commands:
In the previous section, we discussed how to exploit a simple web application that receives commands from the user and executes them on the underlying host. In the real world, Command injection vulnerabilities may not always be found that easily. They often require completing the existing command and adding additional commands by using a command separator. Let us consider the following example.
// Get input
$target = $_REQUEST[ 'ip' ];
// Execute user input
$cmd = shell_exec( 'ping -c 4 ' . $target );
// Show the response back to the user
echo $cmd;
?>
As we can notice in the preceding code snippet, the application takes an IP address as input and appends it to ping -c 4 command on a Linux host. It then displays the output back to the user using the line echo $cmd.
The following URL shows how a user can use this application.
The user receives the following as the output.
--- 127.0.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3056ms rtt min/avg/max/mdev = 0.015/0.025/0.032/0.006 ms
As you can notice in the preceding excerpt, a ping command is executed against the supplied IP Address by the web application.
Learn Secure Coding
Let us try to replace the ip address with an OS command as follows.
It does not show any response as the application expects an IP Address to be able to execute ping command. In this case, the application executes the following, which does not produce any result.
This is where we can make use of command separators to complete ping command successfully and then execute user supplied commands. Following are some of the command separators we can use on UNIX based targets.
&&
|
||
;
Now, let us understand how one can use these command separators to exploit the command injection vulnerability in the code snippet shown earlier.
Following is the URL with updated command injection payload.
Notice how command separator " ;" is used between the two values supplied by the user.
--- 127.0.0.1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3077ms rtt min/avg/max/mdev = 0.026/0.049/0.088/0.023 ms
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Notice the preceding excerpt and the user supplied command got executed, when supplied using a command separator. Following is the command formed when the preceding payload is supplied.
We are simply executing two different commands in one shell using a command separator. This is a legitimate way of executing multiple commands in UNIX based machines and thus the trick worked.
Exploiting Blind Command Injection:
Finding command injection vulnerabilities that show the command output in HTTP response is often easy. The problem arises when there is no output being shown in the HTTP Response, even when arbitrary commands are executed. This is called Blind Command Injection. Let us try to understand how we can exploit such vulnerabilities. Let us consider the following example.
// Get input
$target = $_REQUEST[ 'ip' ];
// Execute user input
$cmd = shell_exec( 'ping -c 4 ' . $target );
// Show the response back to the user
echo “Ping Completed”;
?>
The preceding code snippet only displays the message “Ping Completed” in every case and we will not get any command output in HTTP Response in this case.
Let us execute the following command.
Even though the command id is executed, the output of id command is not shown in the web page.
One of the first things we can do to confirm this type of Command Injection vulnerabilities is to execute a command that makes network interaction with the server.
Let us try to ping the attacker’s host using the following payload.
This looks as follows in the attacker’s browser.
If the above payload gets executed on the victim’s server, it will send 3 ICMP packets to the attacker’s server.
To confirm that, launch Wireshark on the attacker’s machine and filter the packets using the string icmp. This looks as follows.
As we can notice the ping command got executed on the target server and it confirms that the command execution is possible. Now, the next step is obviously to execute useful commands and see their output. We can use several techniques to get the output of the commands. Let us consider the following payload.
This payload adds the content of /etc/passwd file to out.txt file.
We can access the output by accessing the out.txt file, which is saved in the webroot.
It is also possible to exfiltrate data over the network directly without saving it to the disk. Let us consider the following payload.
When executed, it looks as follows.
If we notice the access logs, we should notice the data being exfiltrated as shown below.
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.1.91 - - [02/Oct/2020 10:19:15] code 404, message File not found
192.168.1.91 - - [02/Oct/2020 10:19:15] "GET /?data=docker HTTP/1.1" 200 -
Learn Secure Coding
Conclusion:
This article has provided a detailed overview of how command injection vulnerabilities can be exploited. We have seen techniques to exploit standard command injection as well as Blind Command Injection vulnerabilities.
Sources
- https://owasp.org/www-community/attacks/Command_Injection
- https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection
Learn Secure Coding
Get hands-on experience with common coding mistakes, how they can be exploited and possible mitigations. Learn secure coding in:- Android and iOS
- C/C++, Java, .NET and PHP
- And more
In this Series
- Command Injection Vulnerabilities Exploitation Case Study
- Enhancing code security: Tools and techniques for safeguarding your code
- DevSecOps Tools of the trade
- Software dependencies: The silent killer behind the world's biggest attacks
- Software composition analysis and how it can protect your supply chain
- Only 20% of new developers receive secure coding training, says report
- Introduction to Secure Software Development Life Cycle
- How to control the flow of a program in x86 assembly
- Mitigating MFA bypass attacks: 5 tips for developers
- How to diagnose and locate segmentation faults in x86 assembly
- How to use the ObjDump tool with x86
- Debugging your first x86 program
- How to build a program and execute an application entirely built in x86 assembly
- Overview of common x86 instructions
- x86 basics: Data representation, memory and information storage
- What is x86 assembly?
- Introduction to x86 assembly and syntax
- Introduction to variables
- How to mitigate Race Conditions vulnerabilities
- How to avoid Cryptography errors
- Cryptography errors Exploitation Case Study
- How to exploit Cryptography errors in applications
- How to exploit race conditions
- Email-based attacks with Python: Phishing, email bombing and more
- Attacking Web Applications With Python: Recommended Tools
- Attacking Web Applications With Python: Exploiting Web Forms and Requests
- Attacking Web Applications With Python: Web Scraper Python
- Python for Network Penetration Testing: Best Practices and Evasion Techniques
- Python for network penetration testing: Hacking Windows domain controllers with impacket Python tools
- Python Language Basics: Variables, Lists, Loops, Functions and Conditionals
- How to Mitigate Poor HTTP Usage Vulnerabilities
- How to Exploit Poor HTTP Usage
- Introduction to HTTP (What Makes HTTP Vulnerabilities Possible)
- How to Mitigate Integer Overflow and Underflow Vulnerabilities
- How to exploit integer overflow and underflow
- Introduction to Parallel Processing
- What are Race Conditions?
- How Are Credentials Used In Applications?
- How To Exploit Least Privilege Vulnerabilities
- XSS Vulnerabilities Exploitation Case Study
- What is is integer overflow and underflow?
- SQL Injection Vulnerabilities Exploitation Case Study
- How to exploit improper error handling
- Improper Error Handling Exploitation Case Study
- Why Improper Error Handling Happens
- How to exploit CSRF Vulnerabilities
- How to mitigate CSRF Vulnerabilities
- What Causes Command Injection Vulnerabilities? (How are Data and Code Handled in Execution Environments)
- Command Injection Vulnerabilities
- How to mitigate Command Injection Vulnerabilities
- How to exploit SQL Injection Vulnerabilities
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Secure coding