😁OS Command Injection

i will explain the vulnerability and how it happen and some mitigation

• is a vulnerability that consists of an attacker executing commands on the host (server-OS-system) via a vulnerable application

  

  Untitled

😄 Shell metacharacters: ( & , && , | , || , ; , \n , , $()` )

• | ⇒ only second command will show

• || ⇒ second command will execute if the first don’t success or get error Second (only if first fails)

• **& ⇒ Both (second output generally shown first)**

• && ⇒ execute the second when the first execute successful only if first succeeds

• ; ⇒ all command will work until one don’t success

#Both Unix and Windows supported
ls||id; ls ||id; ls|| id; ls || id # Execute both
ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe)
ls&&id; ls &&id; ls&& id; ls && id #  Execute 2º if 1º finish ok
ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2º
ls %0A id # %0A Execute both (RECOMMENDED)

#Only unix supported
`ls` # ``
$(ls) # $()
ls; id # ; Chain commands
ls${LS_COLORS:10:1}${IFS}id # Might be useful

#Not executed but may be interesting
> /var/www/html/out.txt #Try to redirect the output to a file
< /etc/passwd #Try to send some input to the command

Tools For Exploit :

• commix tool ⇒ give it url - cookie - data

Types of Command Injection

1. In-band Command Injection :

   • Consists of an attacker executing commands on the host operating system via a vulnerable application and receiving the response of the command in the application.

   

1. Blind Command Injection :

   • Consists of an attacker executing commands on the host operating system via a vulnerable application that does not return the output from the command within its HTTP response

   • Blind vulnerabilities can still be exploited, but different techniques are required.

   

😄Vuln PHP Code :

• PHP may use the exec, system, shell_exec, passthru, or popen functions to execute commands directly on the back-end server

  <?php
  if (isset($_GET['filename'])) {
      system("touch /tmp/" . $_GET['filename'] . ".pdf");
  }
  ?>

  • web application has a functionality that allows users to create a new .pdf document that gets created in the /tmp

  • the user input from the filename parameter in the GET request is used directly with the touch command without being sanitized

  • web application becomes vulnerable to OS command injection

😄basic command blacklist filter in PHP

$blacklist = ['whoami', 'cat', ...SNIP...];
foreach ($blacklist as $word) {
    if (strpos('$_POST['ip']', $word) !== false) {
        echo "Invalid input";
    }
}

The code you provided will check if the input in the $_POST['ip'] variable contains any of the words in the blacklist array. If it does, the code will echo "Invalid input".

😃Blacklisted Characters bypass :

• backend use function to block all special characters - If any character in the string we sent matches a character in the blacklist, our request is denied.

  $blacklist = ['&', '|', ';', ...SNIP...];
  foreach ($blacklist as $character) {
      if (strpos($_POST['ip'], $character) !== false) {
          echo "Invalid input";   }
  }

• we don’t have or see code then we try to identify which character can use to bypass

Impact of Command Injection Attacks :

1. Unauthorized access to the application and host operating system.

   1. Confidentiality – Command injection can be used to view sensitive information.

   2. Integrity – Command injection can be used to alter content in the application.

   3. Availability – Command injection can be used to delete content in the application.

2. Remote code execution on the operating system

👍Black-Box Testing

1. Map the application : Identify all instances where the web application appears to interacting with operating system

2. Fuzz the application. • Shell metacharacters: ( & , && , | , || , ; , \n , , $()` )

3. For in-band command injection :

   1. analyze the response of the application to determine if it’s vulnerable.

4. For blind command injection, you need to get creative.

   • Trigger a **time delay using the ping or sleep** command.

   • Output the response of the command in the web root and retrieve the file directly using a browser.

   • Open an out-of-band channel back to a server you control.

😄 White-Box Testing

1. Map all input vectors in the application.

2. Review source code to determine if any of the input vectors are added as parameters to functions that execute system commands

3. Once a vulnerability is identified, test it to confirm that it is exploitable.

Bypass filters : https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command Injection#tools

Prevent

1. Input Validation :

• we should always validate and then sanitize the user input

• Input validation is done to ensure it matches the expected format for the input, such that the request is denied if it does not match

1. **filter_var : built-in PHP function used for validating and filtering data.**

   if (filter_var($_GET['ip'], FILTER_VALIDATE_IP)) {
       // call function
   } else {
       // deny request
   }

2. Input Sanitization : always performed after input validation.

• which means removing any non-necessary special characters from the user input

• **preg_replace** to remove any special characters from the user input

$ip = preg_replace('/[^A-Za-z0-9.]/', '', $_GET['ip']);
echo "Sanitized IP: " . $ip;

• if we input ip like 192.168.1.15#koko

• Function will remove #koko and the output will be

• **Sanitized IP: 192.168.0.1**

• another code with JS

  var ip = ip.replace(/[^A-Za-z0-9.]/g, '');

Prevent :

• Validating against a whitelist of permitted values.

• utilizing blacklisted characters and words on the back-end to detect injection

• Validating that the input is a number.

• Validating that the input contains only alphanumeric characters, no other syntax or whitespace