Command Injection - Vulnerability



  • Hello! Today, I will talk about Command Injection. What is it, how to use, etc.

    Command Injection is an attack whose purpose is to execute arbitrary commands on the OS using a vulnerable web application. Attacks are possible when the application uses insecure user data, for example: form, cookies, HTTP headers, etc. An attack is possible due to insufficient verification of the input data.

    This attack differs from Code Injection, the injection code allows you to use your own code, and command injection extends the functionality of the default web application, thus executing system commands without its own code.

    Examples:

    The following code is a wrapper around cat on a UNIX command that displays the contents of a file.

    #include <stdio.h>
    #include <unistd.h>
    
    int main (int argc, char ** argv) {
     char cat [] = "cat";
     char * command;
     size_t commandLength;
    
     commandLength = strlen (cat) + strlen (argv [1]) + 1;
     command = (char *) malloc (commandLength);
     strncpy (command, cat, commandLength);
     strncat (command, argv [1], (commandLength - strlen (cat)));
    
     system (command);
     return (0);
    }
    

    Commonly used, the output is simply the contents of the requested file:

    ./catWrapper main.txt

    But if, we add; and write another command:

    ./CatWrapper "main.txt; ls"

    If after installation CatWrapper has a higher privilege level, then it will work the same way.

    1. This simple program takes the file name as an argument to the command line, and displays the contents of the file back to the user. The program is installed with root rights, as it is intended to be used as a training, to allow system administrators to check privileged system files, preventing them from changing them or damaging the system:
           int main (char * argc, char ** argv) {
                   char cmd [CMD_MAX] = "/ usr / bin / cat";
                   strcat (cmd, argv [1]);
                   system (cmd);
           }
    

    Since the program works with root rights, it also makes a call to the system () with root rights. If the user sets a standard file name, the call works. However, if the hacker sends a string of the form “; rm -rf / ", then a call to the system () does not execute the cat command due to the lack of arguments and recursively delete the contents of the root partition.

    1. This code uses the APPHOME variable, it defines the web application directory, and then initializes in this directory:
           ...
           char * home = getenv ("APPHOME");
           char * cmd = (char *) malloc (strlen (home) + strlen (INITCMD));
           if (cmd) {
                   strcpy (cmd, home);
                   strcat (cmd, INITCMD);
                   execl (cmd, NULL);
           }
           ...
    

    As in the previous example, this code allows you to execute arbitrary commands with elevated privileges of the web application. You can change the APPHOME variables to specify a different path containing the malicious version of INITCMD. We are cheating on web applications. The attacker uses environment variables to control the team that launches the program, so the effect of the environment is clear in this example.

    1. This code allows users to change their passwords:
    system ("cd / var / yp && make &> / dev / null");
    
    1. Consider a utility called commix.

    Commix (Short for comm and injection exploiter) is an automated tool written by Anastasios Stasinopoulos that can be used by web developers, penetration testers, or even security researchers to test web applications to look for bugs, errors or vulnerabilities related to attacks using the command. Using this tool, it is very easy to find and exploit the vulnerability when injecting commands in a specific vulnerable parameter or HTTP header.

    It is compatible with Metasploit Framework, BurpSuite, SQLMap, etc. It is written in Python.

    Before installing, if you have an IB distribution, then you do not need to install.

    Installation:

    Download from github:

    git clone https://github.com/commixproject/commix.git

    We go to the utility folder:

    cd commix

    Launch:

    python commix.py -h



  • i recommend for this tutorial Ubuntu 18.04


Log in to reply
 


LIVE Chat
Login in your account to Start Chat