Hey, everybody how’s it going ..?
Today we are going to talk about a cool Vulnerability or a very serious Vulnerability called Os Command Injection.
Description :
OS command injection (also known as shell injection), this is a type of vulnerability that allows an attacker to execute arbitrary command on the target system. An attacker can read many sensitive files like usernames, passwords, emails, some personal files, and many more, other than that an attacker may also write malicious code on the server which can lead to revenue loss or any other damage to company’s revenue, an attacker may also write malicious code on the server which can lead to getting a shell on attacker’s PC and this is too dangerous. So, this is very cool Vulnerability.
Today i am going to exemplify how OS command injection can be powered using DVWA.
Ways of injecting OS commands
We can use different special characters to inject an arbitrary command. The most common one for Linux is the semicolon (;) and for Windows, the ampersand (&). we simply have to use command separators, which allows to execute arbitrary commands. The following command separators work on both Windows and Unix-based systems:
- &
- &&
- |
- ||
The following command separators work only on Unix-based systems.
- ;
- 0x0a or \n
How Command Injection crop up ?
While developing web applications, sometime developers need to add some functionalities into their web application by making the use of the operating system commands, if the application passes the user-supplied input directly to the server without any recognition, thus the application might become vulnerable to command injection attacks.
With a view to understand better, let’s work on a simple php code which is using ping command to ping particular ip address through his web-interface this means that the application is passing the ping command with that particular input IP directly to the server.
Now, if attacker add any separator and pass any other command then the particular command will be sent directly to the server and will be executed, which will allow the attacker to gain the complete access of the operating system.
Types of Command Injection
- Error based command injection
- Blind based command injection
https://www.owasp.org/index.php/Command_Injection
Examples of OS Command injection
1.Basic OS Command injection
This is quite simple way of OS Command injection. For this example I’ll be using DVWA, logging in with admin:password and saving dvwa security to low.
From the below image you can see that, I’ve tried to ping its localhost by typing 127.0.0.1, and therefore I got the output result.
let’s view the source code for getting things better.
IP address we enter in the form is passed to $target and execute with $cmd = shell_exec ();
we can simply add “; (semicolon)”, “&&”, “|” and then we can enter any arbitrary command.
i.e, 127.0.0.1;ls
i.e 127.0.0.1&&ls
i.e 127.0.0.1|ls
i.e ||ls
And whoopp..!!! here, we have proof of concept. Similarly we can run the other system commands such as “;pwd”, “;id” etc. and also we can obtain a bind shell or reverse shell.
Example 2
Getting a step ahead towards OS Command injection, I’d saved DVWA security to medium, In the below image we can see that the web panel is still the same.
In dvwa medium security level, we can see that by adding separators “; (semicolon)”, “&&” we didn’t got any of the result.
Let’s view source again..!!!
Now we can see there are some substitutions in place, there is same concept that we put ip in the place $target and the command is executed with server, but here developer filter out the && and ; this is something basic filter you may see but this is definitely considered bad practice because as we saw earlier there are multiple ways to perform OS command injection attacks, so if we just enter any payload which doesn’t use double ampersand & semicolon then we can pass dvwa medium difficulty.
So, there are more payloads other than double ampersand & semicolon like “||” “|” .
Now we are good to go, Let’s try this payloads.
127.0.0.1|cat /etc/passwd
||cat /etc/passwd
whoop.!!!! here, we have proof of concept. Similarly we can run the other system commands such as “;pwd”, “;id” etc. and also we can obtain a bind shell or reverse shell.
So, there are still ways that we can word around that blacklist and that filter to go ahead and exploit the command injection vulnerability.
Example 3
Now we have seen how to solve dvwa medium security command injection, let’s move to security tab and save security level to high.
Okay, now again the web panel is same as before in low and medium security.
Let’s view source code again.
So, if we took a look out there is a new set of substitutions in place where it should be replacing all sets of ampersand & semicolon and so on, here developer is really trying to avoid all this characters to perform command injection.
Now it can be very hard or impossible to execute any other arbitrary command because developer filtered many characters by which we can perform out attacks.
But in this case blacklist is not set properly in 3rd substitution they are blocking single pipe followed by space “| ” so if we enter single pipe and our payload without space, then we might be successful.
Here, the user input is sanitized but now properly and this leads to command injection.
Payload :- |whoami
As we can see, Command execution still exists. we entered |whoami “without space” and whoop…!!! this worked we have proof of concept. Similarly we can run the other system commands such as “;pwd”, “;id” etc. and also we can obtain a bind shell or reverse shell.
Because user input is not properly sanitized we are able to bypass the DVWA high security level.
4. The impossible
Under security tab set security level to impossible. In below image we can ping localhost easily. but non of our payload worked..!!!!!
Okay let’s check out the source code of the same.
As you can see there’s a lot more going on in this source code, What they are actually doing ..??
firstly they are splitting the ip in four octects.
secondly they are checking if each octects is an integer .
and if each octects is an integer then put the IP back together,
if this kinds of filter is applied to certain code then, it becomes impossible for us to get command execution, in this code they are properly checking that user input is an integer, what we put in is an IP address.If we enter localhost we can see the result.
So, that’s it for this blog…!!!
Thanks for reading. Stay tuned for similar blogs and much more.
Kindly give your valuable suggestions if any.
:- Dark-0
