Command Injection | Finding And Exploiting Flaws
In our last post we had our look on some basics about command injection flaws. So here we will discus how to find and exploit command injection flaws. In last post I told you that to exploit command injection flaws you must be able to interact with system command shell. Suppose anyhow you suspect that the web application interacts with operating system, its time to check it how you can exploit it. Before you exploit I must make clear that there is practically no guarantee that the command shell web application is interacting is its own shell, remote shell or custom built shell also there's no guarantee that output of executed command will be displayed to you on your web browser. Note that an application can issue operating system commands using input provided by user, URL and even stored and processed cookies.
To find out command injection vulnerability you have to use shell meta-characters also known as shell operators or conditional operators of shell. Following three are meta-characters that are mostly used to exploit vulnerability,
; semi colon
&& AND operator
|| OR operator
Now consider condition one web application is vulnerable to command injection via input box. Then type following command,
ping -n 10 127.0.0.1
if it returns output for command then the application is vulnerable to command injection. Suppose it returns with invalid input, try appending the valid input with || ping 127.0.0.1 command. For example suppose the input field asks for your name then type your name and append it as follows,
Input Name : DEVIL || ping -n 10 127.0.0.1
In some cases you'll find none of the above either returns error message nor it returns output to your web browser. In such cases rather than using ' n ' parameter with ping use ' i ' parameter. Where I represents interval in seconds. First of all use a normal input and note time the web application takes to return output. Then append normal input by interval based ping command and note whether the time exceeds by interval specified by you for example, if
Input Name: DEVIL
takes 3 seconds to process then
Input Name: DEVIL || ping -i 30 127.0.0.1
should approximately take 30-33+ seconds to process. If it does take interval of time specified by you to process then try with different intervals of time. If time exceeds according to specified interval then surely the web application is vulnerable but the web application has disallowed web browser to show shell output. In such cases you have work little on assumption and download a netcat(please have look on out netcat tutorials to know how to use it) file to victim and execute it on victim in listen mode by appending input field by OR operator. If web browser shows output to every command then there's no need to use netcat. Now its time to check who the user is and his/her privileges, to find it use following commands,
Input Name: DEVIL || whoami
will tell you name of user account, note that user account may be administrator.
Input Name: DEVIL || whoami /all
Above command will tell you privileges of current user. Note that this user might be administrator. By the way above commands are windows specific, in Linux and UNIX environment you can use whoami, who, w and pinky commands. All these commands are distribution specific so don't forgot to have a look on man pages before you try them.
Input Name: DEVIL || whoami
will show current user
Input Name: DEVIL || id -u
will show you privileges of user. If above command returns with group id zero then user have administrative privileges.
Now consider second condition in which command can be injected through URL. For example www.victim.com/cgi-bin/page.cgi?data=DEVIL is vulnerable URL. You can check it just as you checked an input box for vulnerability by appending it with ping command,
www.victim.com/cgi-bin/page.cgi?data=DEVIL || ping -n 10 127.0.0.1
But the bitter fact is that above URL will not work because of space between characters. You have to fill up space with space equivalent characters so use %20 as space character. So the above URL will become,
www.victim.com/cgi-bin/page.cgi?data=DEVIL%20||%20ping%20-n%2010%20127.0.0.1
Please note that command injection needs practice so practice it on Damn Vulnerable Web Application(DVWA). Practically we have covered everything that you should know about finding and exploiting command injection rest is left to how you practice it.
That's set for now. Thanks for reading, keep visiting and have a nice time.
