Command Injection Vulnerabilities
Introduction:
In the previous articles, we discussed what Command Injection vulnerabilities are and what causes command injection vulnerabilities. This article provides an overview of how command injection vulnerabilities can be identified and exploited using some automated tools. We will then discuss why we should not always rely on automated tools to identify command injection vulnerabilities.
Learn Secure Coding Fundamentals
What is command injection?
As already mentioned in earlier articles, Command injection is a type of web vulnerability that allows attackers to execute arbitrary Operating System commands on the server, where the application is running. Command Injection vulnerabilities occur when the applications make use of shell commands or scripts that execute shell commands in the background.
In the next few sections, let us discuss how command injection vulnerabilities can be discovered by automated web vulnerability scanners and why manual intervention is required in some cases.
Automated scanners for finding command injection vulnerabilities
Let us consider the following code snippet, which is vulnerable to command injection.
$cmd=$_GET['cmd'];
system($cmd);
?>
This vulnerability can be simply exploited by passing arbitrary commands via the parameter cmd as shown below.
Now, let us scan this URL using OWASP ZAP and observe if the command injection vulnerability can be identified. Let us enter the URL to be scanned and click Attack.
After the scan finishes, we should see the following alerts, where Remote OS Command Injection vulnerability can be seen.
Clicking on the reported vulnerability shows the details such as Risk, parameter and the payload used to confirm the vulnerability.
Learn Secure Coding
The following excerpts show the request and response provided by OWASP ZAP, which can be used to understand how the vulnerability was discovered. Following is the request sent by OWASP ZAP.
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0
Host: 192.168.1.90
As highlighted, a payload with OS command tet&cat+/etc/passwd& has been sent and the following response was received, which confirms that the application is vulnerable to OS command injection.
Date: Mon, 05 Oct 2020 12:02:59 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1639
Content-Type: text/html; charset=UTF-8
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
securestore:x:1000:1000:securestore,,,:/home/securestore:/bin/bash
Automated command injection exploitation using commix
Aside from standard web vulnerability scanners, there are tools which can specifically identify and exploit command injection vulnerabilities and it comes preinstalled with Kali Linux. Commix is one such tool, which can be used to identify and exploit command injection vulnerabilities in web applications. According to the GitHub documentation, “Commix (short for [comm]and [i]njection e[x]ploiter) is an automated tool written by Anastasios Stasinopoulos (@ancst) that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.”
Let’s see Commix in action.
Run the following command to start with basic command injection.
Notice that we have replaced the value of the parameter “cmd” with “INJECT_HERE”. This is how Commix understands the target parameter to be tested. Now, Commix starts performing tests on this parameter and gives us an interactive shell as shown below if the application is exploitable.
As we can notice in the preceding figure, commix confirms with the following message that the application is injectable and it asks for user confirmation before giving us a pseudo-terminal shell.
Entering yes should give us an interactive shell, which can be used to run OS commands on the target web server.
Clearly, automated tools such as OWASP ZAP and Commix come handy when we want to discover and exploit command injection vulnerabilities. However, it should be noted that not every single command injection vulnerability can be spotted even by some powerful automated tools because of the manual interaction required by the application flow.
Let us consider the following example.
$input=$_GET['text'];
system("echo -n". $input." | base64");
?>
As we can see in the preceding excerpt, even though the code is vulnerable to command injection, the output is base64 encoded and then sent back to the user. It could be hard for automated tools to detect this vulnerability since the tool must be designed to verify the encoded text coming back in the HTTP response. Often, blind injection techniques have to be employed by the tools to detect such vulnerabilities. Let us check if OWASP ZAP or Commix can discover this vulnerability.
Following is the URL provided to ZAP. Click Attack to start the scan.
Following is the scan result from ZAP.
As we can notice, the OS command injection vulnerability is not identified by ZAP.
When scanned using commix, it has resulted in errors, when going through the blind injection scan and commix stopped with the following message.
Learn Secure Coding
Conclusion:
Command Injection vulnerabilities, just like any other vulnerabilities may or may not be identified by automated scanners and clearly manual testing can be helpful in identifying these issues. In the next few articles, we will discuss more command injection related concepts such as Blind command injection, exploiting and mitigating command injection vulnerabilities.
Sources:
Learn Secure Coding Fundamentals
Discover how to recognize common software mistakes, how those mistakes are exploited by attackers and how you can mitigate them. What you'll learn:- Buffer overflows
- SQL injections
- Credential management
- Mitigating with secure code
- And more
In this Series
- Command Injection Vulnerabilities
- Enhancing code security: Tools and techniques for safeguarding your code
- DevSecOps Tools of the trade
- Software dependencies: The silent killer behind the world's biggest attacks
- Software composition analysis and how it can protect your supply chain
- Only 20% of new developers receive secure coding training, says report
- Introduction to Secure Software Development Life Cycle
- How to control the flow of a program in x86 assembly
- Mitigating MFA bypass attacks: 5 tips for developers
- How to diagnose and locate segmentation faults in x86 assembly
- How to use the ObjDump tool with x86
- Debugging your first x86 program
- How to build a program and execute an application entirely built in x86 assembly
- Overview of common x86 instructions
- x86 basics: Data representation, memory and information storage
- What is x86 assembly?
- Introduction to x86 assembly and syntax
- Introduction to variables
- How to mitigate Race Conditions vulnerabilities
- How to avoid Cryptography errors
- Cryptography errors Exploitation Case Study
- How to exploit Cryptography errors in applications
- How to exploit race conditions
- Email-based attacks with Python: Phishing, email bombing and more
- Attacking Web Applications With Python: Recommended Tools
- Attacking Web Applications With Python: Exploiting Web Forms and Requests
- Attacking Web Applications With Python: Web Scraper Python
- Python for Network Penetration Testing: Best Practices and Evasion Techniques
- Python for network penetration testing: Hacking Windows domain controllers with impacket Python tools
- Python Language Basics: Variables, Lists, Loops, Functions and Conditionals
- How to Mitigate Poor HTTP Usage Vulnerabilities
- How to Exploit Poor HTTP Usage
- Introduction to HTTP (What Makes HTTP Vulnerabilities Possible)
- How to Mitigate Integer Overflow and Underflow Vulnerabilities
- How to exploit integer overflow and underflow
- Introduction to Parallel Processing
- What are Race Conditions?
- How Are Credentials Used In Applications?
- How To Exploit Least Privilege Vulnerabilities
- XSS Vulnerabilities Exploitation Case Study
- What is is integer overflow and underflow?
- SQL Injection Vulnerabilities Exploitation Case Study
- How to exploit improper error handling
- Improper Error Handling Exploitation Case Study
- Why Improper Error Handling Happens
- How to exploit CSRF Vulnerabilities
- How to mitigate CSRF Vulnerabilities
- What Causes Command Injection Vulnerabilities? (How are Data and Code Handled in Execution Environments)
- Command Injection Vulnerabilities Exploitation Case Study
- How to mitigate Command Injection Vulnerabilities
- How to exploit SQL Injection Vulnerabilities
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Secure coding