Command Injection Attacks : Web for Pentester

1
358
command injection

Hello friends how are you i hope you are doing good so here we are closing in on our this series i really hope that you have learned a lot or a little :p so if you did learned some thing do tell us by commenting and sharing. Here are other sections MySql Injection , Directory Traversal , File Include Attacks , Unrestricted File Upload , XML External Entity (XXE) , LDAP Attacks

Command injection

Command injection comes from a lack of filtering and encoding of information used as part of a command. The simplest example comes from using the function system (to run commands) and take an HTTP parameter as an argument of this command.

There are many ways to exploit a command injection:

  • By injecting the command inside backticks, for example `id`
  • By redirecting the result of the first command into the second | id
  • By running another command if the first one succeeds: && id (where & needs to be encoded)
  • By running another command if the first one fails (and making sure it does: error || id (where error is just here to cause an error).

It’s also possible to use the same value technique to perform this type of detection. For example, you can replace 123 with`echo 123`. The command inside backticks will be executed first, and return exactly the same value to be used by the command.

You can also use time-based vectors to detect these kinds of vulnerabilities. You can use a command that will take time to process on the server (with a risk of denial of service). You can also use the command sleep to tell the server to wait a certain amount of time before continuing. For example, using sleep 10.  — PentesterLab

And this kind of vulnerability can lead to real damage to the server which will not be such a good idea for the corporation.

Command Injection Examples :-

Example 1

The first example is a trivial command injection. The developer didn’t perform any input validation, and you can directly inject your commands after the ip parameter.

Based on the techniques seen in the previous attacks, you can for example, use the payload by using there symbols after the ip these will help you to use multiple commands at a time | ; && cat /etc/passwd (with encoding) to see the content of /etc/passwd.

Here is the solution :-

http://[yourlab]/commandexec/example1.php?ip=127.0.0.1 && id

http://[yourlab]/commandexec/example1.php?ip=127.0.0.1; id

http://[yourlab]/commandexec/example1.php?ip=127.0.0.1| id

 

Example 2

This example validates the parameter provided, but does so incorrectly. As we saw before with the SQL injection, the regular expression used is multi-line. Using the same technique we saw for the SQL injection, you can easily gain code execution.

The good thing here is that you don’t even need to inject a separator. You can just add the encoded new line (%0a) and then put your command.

this is same a we used  null-byte to bypass the file extension filtration.

http://[yourlab]/commandexec/example2.php?ip=127.0.0.1%0auname -a

Example 3 :-

This time the preg_match function did a good validation on user’s input. However, the script didn’t stop when evil character is matched in user’s input. Instead of, it only use header function to do a redirection without die function to stop the script.

So the attacking methods (‘;’, ‘&&’ and ‘|’) still works on this one, but it will need a proxy like burpsuite or nc/telnet to read the first response page.

PoC:

Use NC to exploit this vulnerability :

echo -e “GET /commandexec/example3.php?ip=127.0.0.1%26%26id HTTP/1.1\r\nHost: 10.10.10.129\r\nConnection: close\r\n” | nc [yourlab] 80

Using Telnet :-

% telnet [yourlab] 80
GET /commandexec/example3.php?ip=127.0.0.1|uname+-a HTTP/1.0

So i hope that this is a good explanation to clear all your question.

Here is the Video Of The Examples :-

LEAVE A REPLY

Please enter your comment!
Please enter your name here