Finally, back after a week-long
break!!! Now I am working on my OWASP skills and the notes are as follows
Command Injection occurs when server-side code (like PHP) in a web application makes a system call on the hosting machine. It is a web vulnerability that allows an attacker to take advantage of that made system call to execute operating system commands on the server.
ACTIVE AND BLIND COMMAND INJECTION
Active command
injection will return the response to
the user. It can be made visible through several HTML elements.
Blind command
injection occurs when the system
command made to the server does not return the response to the user in the HTML
document.
ACTIVE COMMAND INJECTION EXAMPLE
Let’s consider a scenario where the company called Evil Corp. is working on a web-based shell but accidently exposed it to the internet. Now let’s see how we can use this vulnerability to exploit.
In the pseudo code provided
above
1. In the line 2, we check if the parameter “commandString”
is set.
2. In the line 4, the input “commandString” gets passed
as the input.
3. From the line 5, the program gets into the try block
to execute the “passthru” command.
4. The passthru() function is like the exec()
function in that it executes a command. This function should be used in place
of exec() or system() when the output from the Unix command is binary data
which needs to be passed directly back to the browser.
5. If the try fails, output the error to page. Generally, this won't output anything because you can't output stderr but PHP doesn't let you have a try without a catch.
Ways to detect Active Command Injection
We know that active command injection occurs when you can see the response from the system call. The function “passthru()” is basically passing the response directly to the document. The function call here to “passthru()” may not always be what's happening behind the scenes, but I felt it was the easiest and least complicated way to demonstrate the vulnerability.
Commands to try
Linux
To
learn more about the commands below use man <command>
·
whoami – provides the username of the current
user
·
id – provides the user and group names and IDs (UID
and group ID)
·
ifconfig/ip addr – Provides the IP address of
the system it is executed on
·
uname -a – Print all the system information
·
ps -ef – snapshot of all the running process (ps),
-e option is to select all process, -f
full format.
Windows
To
learn more about the commands below use <command> help
·
whoami – provides the username of the current
user
·
ver – provides the windows version that is
running on the server
·
ipconfig - Provides the IP address of the system
it is executed on
·
tasklist – provides the list of tasks that are running
on the server
·
netstat -an – Provides all connected and listening
ports and displays all address and ports in numerical form
Questions:
1. What strange text file is in
the website root directory?
Answer: drpepper.txt
2. How many
non-root/non-service/non-daemon users are there?
Answer: 0
3. What user is this app running as?
Answer: www-data
4. What is the user's shell set
as?
Answer: /usr/sbin/nologin
5. What version of Ubuntu is
running?
Answer: 18.04.4 LTS
6. Print out the MOTD.
What favorite beverage is shown?
Answer: DR PEPPER
In App:
No comments:
Post a Comment