Command Injection
Command injection ( also known as shell injection ) is a web security vulnerability that allows an attacker to execute arbitrary operating system ( OS ) commands on the server that is running an application, and typically fully compromise the application and all of it's data.
Testing for vulnerability
Let's take for example a web application that allows users to search a directory on their back-end service. The application provides a single form input which allows text search for the directory. Without any prior knowledge of this system there are a few things we can try. The first being a simple *NIX command:
If the application implements no defenses against OS command injection while reach out to a shell command for information then the command we submitted would be appended to the original call.
The echo command simple prints out the supplied string. It does notthing mailicious, but gives us some insight into what we may be able to do. If the application is succeptable then the following output should be:
Error - DirectoryListing was not provided
hello
29: command not found
These three lines demonstrate that the original command was executed without it's expected arguments, and it returned the error. Also, the injected echo was executed and supplied our expected string. Now that we know the application is running out commands we can trying a couple of different commands:
Output | Linux | Windows |
Current User | whoami | whoami |
Operating System | uname -a | ver |
Network Configuration | ifconfig | ipconfig /all |
Network Connections | netstat | netstat -an |
Running Processes | ps -ef | tasklist |
Blind OS Command Injection
Many instances of OS command injection are blind vulnerabilities. This means that the application does not return the output from the command within its HTTP response. Blind vulnerabilities can still be exploited, but different techniques are required.
Consider a web site that lets users submit feedback about the site. The user enters their email address and feedback message. The server-side application then generates an email to a site administrator containing the feedback. To do this, it calls out to the mail program with the submitted details. For example:
mail -s "This site is great" -aFrom:peter@normal-user.net feedback@vulnerable-website.com
The output from the mail command (if any) is not returned in the application's responses, and so using the echo payload would not be effective. In this situation, you can use a variety of other techniques to detect and exploit a vulnerability.
Detecting Blind OS Command Injection with Time Delay
You can use an injected command that will trigger a time delay, allowing you to confirm that the command was executed based on the time that the application takes to respond. The ping command is an effective way to do this, as it lets you specify the number of ICMP packets to send, and therefore the time taken for the command to run:
& ping -c 10 127.0.0.1 &
This command will cause the application to ping its loopback network adapter for 10 seconds.
Exploiting Blind OS Command Injection
You can redirect the output from the injected command into a file within the web root that you can then retrieve using your browser. For example, if the application serves static resources from the filesystem location /var/www/static, then you can submit the following input:
& whoami > /var/www/static/whoami.txt &
The > character sends the output from the whoami command to the specified file. You can then use your browser to fetch https://vulnerable-website.com/whoami.txt to retrieve the file, and view the output from the injected command.
Opening a reverse shell using OS Command Injection
There are many ways to open a reverse shell using OS Command Injection, but for this demonstration we'll be using netcat. This is considering we know that the application is already vulnerable to injection.
First we'll use the following command on our own system to open up a listener for incoming connections. Usage for netcat is nc, the -l flag opens a listener, and the -p {number} flag instructs netcat to listen on the specified port.
Next, in the vulnerable web applications input we append the following command to spawn a shell on the server and connect back to our machine:
On our own system we should see an open connection, which we can use to enumerate further, escalate privilege, or even pivot to another system in the network.
Summary
There is alot more information when it comes to OS Command Injection, we only briefly touched on one or two methods here. You can find a lot more information online.
Last updated