Decomposition - command injection

Command injection or operating system command injection is an injection vulnerability , Attackers can further exploit unprocessed user input to run default operating system commands on the server .

Code injection ： Allow attackers to add their own code , Then the application executes . Command injection ： The attacker extended the default functionality of the application , That is, execute the system command , Without injecting code .

according to OWASP, What is actually a command injection attack ？

Command injection is an attack , Its goal is to execute arbitrary commands on the host operating system through vulnerable applications . When the application will not secure user provided data （ Forms 、cookie、HTTP Header, etc ） Transfer to system shell when , Command injection attacks are possible . In this attack , Operating system commands provided by attackers are usually executed with the privileges of vulnerable applications . Due to insufficient input validation , Command injection attacks are likely to occur .

Identify... In the application source code CI：OWASP

1. Based on PHP In the ： Vulnerable code

<?php
print("Specify the file to delete");
print("<p>");
$file=$_GET['filename'];
system("rm $file");
?>

In the code snippet above , Application direction filename The user requests a value , This value is provided directly to system Command for further execution , There is no need to clean up or escape filename The value in the parameter .

therefore , An attacker can modify the request here to run system commands , Such as id The following request ：

requirement

http://127.0.0.1/delete.php?filename=bob.txt;id

therefore , The attacker can id Extract the private value through the modified request , As the response below shows ：

reply

Please specify the name of the file to delete
uid=33(www-data) gid=33(www-data) groups=33(www-data

2. Again , Based on Perl In the ： Vulnerable code assumes that the attacker provided such a domain name ： use CGI qw(:standard);$name = param(‘name’);$nslookup = “/path/to/nslookup”;print header;if (open($fh, “$nslookup $name|”)) {while (<$fh>) {print escapeHTML($_);print “<br>\n”;}close($fh);}

Attack code cwe.mitre.org%20%3B%20/bin/ls%20-l -“%3B” The sequence is decoded to “;” character ,%20 Decoding for Space .open() The statement will then process the following string ： /path/to/nslookup cwe.mitre.org ; /bin/ls -l result , The attacker executed “ /bin/ls -l” Command and get the program working directory （CWE） List of all files in .

3. also , Based on Java In the ： Vulnerable code

The following code reads the... To be executed from the system properties shell Script The name of . It is subject to a second variant of operating system command injection . String script = System.getProperty(“SCRIPTNAME”);if (script != null)System.exec(script);

As an attacker , What can you do ？

An attacker can upload malicious programs or files 、 Get password 、 Get back door access 、 Increase authority 、 Execute unexpected command 、 Destroy any sensitive files on the server , Or upgrade the attack to the network interface .

Use the steps of command injection ：

1. Use this ping The command causes the server to ping Its loopback interface Trigger time delay .
2. If filtering is not completed , On the platform （Windows or Unix） Up lead in 30 Of a second Time delay ：

|| ping -i 30 127.0.0.1 ; x || ping -n 30 127.0.0.1

3. monitor Application response The time it takes , For each triggered time delay ：

| ping –i 30 127.0.0.1 || ping –n 30 127.0.0.1 |& ping –i 30 127.0.0.1 && ping –n 30 127.0.0.1 &; ping 127.0.0.1 ;%0a ping –i 30 127.0.0.1 %0a` ping 127.0.0.1 `

4. If there is a time delay , Applications May be vulnerable to Command injected attack .

5. Repeat the test case several times , Confirmation delay No “ Network delay Or other abnormalities ” Caused by the .

6. Try to change -n or -i The value of the parameter , And confirm experience Of Delay as needed Provide the value of the Change systematically .

1. If it works , Try injecting something like lsor The order of dir. Check if you can Retrieve the results of the command to the browser .
2. If you cannot retrieve the results directly ： Try Open an out of band channel to return to your computer . Try to use TFTP Copy the tool to the server , Use telnet or netcat Create reverse shell Back to your computer , And use mail Command to pass SMTP Send command output .
3. You can The result of your command is redirected to a file Within the root directory , Then you can use a browser to directly retrieve .

for example ： dir > c:\inetpub\wwwroot\foo.txt

4. When you find a way to inject commands and retrieve results , Determine your permissions Level ; Use — whoami Or try writing harmless files to a protected Directory .

5. then , You may be looking for Increase authority 、 Gain back door access to sensitive application data , Or attack other hosts that can be accessed from the infected server .

How to identify WebApps Command injection vulnerability in ？

stay URL Display the file name in Web In the application .

Perl — Attach the pipe symbol | To the end of the file name .

Before change URL： http://sensitive/cgi-bin/userData.pl?doc=profile.txt URL modify ： http://sensitive/cgi-bin/userData.pl?doc=/bin/ls| This will carry out the order /bin/ls.

PHP — Append a semicolon to ; To URL At the end of , Heel OS command .; stay URL The code is %3B.

Website modification ： http://sensitive/something.php?dir=%3Bcat%20/etc/passwd

Understand the role of special characters in command injection

Combine special characters with user input , Allows you to modify or distribute applications to perform unexpected actions . Same as command injection , Carry out orders 2 Requests are dynamically ordered by the attacker . The following special characters can be used for command injection , for example |;&$><'!

cmd1|cmd2: Use | Will make the command 2 Execution and command of 1 Whether to execute or not is irrelevant .cmd1;cmd2: Use ; Will make the command 2 Execution and command of 1 Whether to execute or not is irrelevant .cmd1||cmd2: Only on command 1 The command will be executed only when the execution fails 2.cmd1&&cmd2: Only the command 1 Successful implementation , To execute orders 2.$(cmd): for example echo $(whoami) or $(touch test.sh; echo ‘ls’ > test.sh)cmd: Used to execute specific commands . for example , Pooh, Pooh, Pooh >(cmd): >(ls)<(cmd): <(ls)

How to bypass mitigation measures ？

Try using some of the characters shown below to bypass checks or escapes made by the application .

about Command injection , please Try the following characters or combinations of characters to test the defense of the application implementation ：|;&$><'\!>>#

Escape or filter Windows Of Special characters ,()<>&*‘|=?;[]^~!.”%@/\:+,`

Escape or filter Linux Of Special characters ,{}()><&*‘|=?;[]$–#~!.”%/\:+,`

Further development

Pay close attention to the following system commands that are more vulnerable to command injection attacks . Check if you can run these commands directly .

Java -Runtime.exec()C/C++ -Python -PHP -systemexecShellExecuteexecevalos.systemos.popensubprocess.popensubprocess.callsystemshell_execexecproc_openeval