- Command Injection is an attack where arbitrary commands are executed on the host operating system through the vulnerable application
- Command Injection is also referred to as shell injection, shell command injection, OS command injection, and OS injection.
- Command Injection is usually executed with the same privileges of the vulnerable application.
Pre-requisite of Command Injection
- When an application passes unsafe user data
- Eg. Forms, cookies, HTTP headers, etc.
Types of Command Injection
- Result based command injection
- Blind command injection
- The time-based technique (Blind)
- The file-based technique (Semi blind)
Result based command injection:
- The output of the executed command would be visible in the response
- An attacker can view the results of the command executed was success or not
Scenario: The application executes a shell command containing user-supplied product and store IDs, and returns the raw output from the command in its response.
Output: Here the vulnerable parameter is stored.
Explanation: Here we have used the command whoami. It displays the name of the current user.
Blind Command Injection:
- The output of the executed command is not visible in the response
- An attacker cannot view the results of the command executed
There are two types of blind command injection.
- The time-based technique (Blind)
- File-based technique (Semi Blind)
Time-based technique (Blind):
- It is based on time delays
- It can be determined by the length of the output, time is taken for delay
- Once confirmed we can export char by char the output of the injected command using a chain of OS commands, such as “cut”, “head” etc.
Scenario: The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response.
Output: Here the vulnerable parameter is an email address.
Image 1: As seen in the snapshot, we have captured the request of the feedback form.
Image 2: As seen in the snapshot, the email parameter is vulnerable to blind command injection.
Explanation: Here we have used ping command for time delay, as it lets you specify the number of ICMP packets to send, and the time taken for the command to run: ping -c 10 127.0.0.1
This command will cause the application to ping its loopback network adapter for 10 seconds.
File-based technique (semi-blind) :
This technique is used when we are not able to view the results of the command injection, but we can write it to a file accessible by us. Scenario: The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response. You can use output redirection to capture the output from the command. There is a writable folder at: /var/www/images/
Output: Here the vulnerable parameter is an email address.
Image 1: As seen in the snapshot, the email parameter is vulnerable and the output is written in the output.txt file.
Image 2: As seen in the snapshot, we are clicking on view details of the image and capturing the request.
Image 3: Capturing the request we observe filename parameter specifies the image name.
Image 4: we are replacing the original value of the filename with the one having the output of the command specified. i.e output.txt
Explanation: Here we are redirecting the output of the command in a file that is accessible to us.
What if the web server’s root directory is not writable or accessible?
We can use temporary directories (“/tmp” or “/var/tmp/”) to store the output of injecting commands.
Limitation :
Usually, we cannot read files located in temp directories through web applications
Bypass of the limitation :
- Apply the time-based technique to read the content of the files
- It is also referred to as tempfile based technique
Mitigation:
- Sanitize the user input
- Avoid system calls wherever possible
- whitelist of possible inputs and check its format
- Validating that the input contains only alphanumeric characters, no other syntax or whitespace.
Tool for exploiting command injection:
Commix :
- Commix (a short for command injection exploiter) is a software tool aiming at facilitating web developers, penetration testers and security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. https://github.com/stasinopoulos/commix
- Written in Python programming language. Python version 2.6.x or 2.7.x is required.
- Cross-platform application
- Linux
- Mac OS X
- Windows (experimental)
- It is Open Source Software.
- Commix also comes as a plugin, on the following penetration testing frameworks:
- The Penetration Testers Framework (PTF)
- PentestBox
- Weaker than
- CTF-Tools
- You can download commix by cloning the Git repository
Exploiting Command Injection via Commix :
Image 1: Here the IP field is vulnerable to command injection.
Image 2: python commix.py –url=”http://192.168.32.130/vulnerabilities/exec/” –cookie=”PHPSESSID=63pq1tou816hc3tncbkhhpdj40; security=low” –data=”ip=127.0.0.1&submit=submit” –os-cmd=”uname” –current-user –hostname –is-root –users –passwords –privileges –sys-info
Image 3: As observed, commix gives us all the details from hostname till the user privileges
Commix gives us lots of options to enumerate a user. But the only limitation is /etc/shadow file must be readable by the current user. To exploit the parameters in post request, we use –cookie=”cookie_value” to validate our session. We use –data=”vulnerable_parameter_name” to add the vulnerable parameter. Following commands were used to enumerate:
- –current-user will retrieve current username
- — hostname will retrieve the current hostname
- — is-root will check if the current user has root privileges
- – sys-info will retrieve system information
- — user to retrieve user list
- — passwords to retrieve password hashes. (This will work only if the current user has readable privilege)
- — privileges will show the privilege of the user
- — os-cmd=”command_name” will display the result of the command entered
