Skip to content

Command Injection

wheelOfFortune-chacho

Scenario 1: Command Injection

Objective: Identify and exploit a command injection vulnerability in a web application that allows user inputs to be executed as system commands.

1. Identify Input Fields

Look for forms or input fields where user data might be passed to the system. Common examples include search fields, login forms, or any other input that interacts with the backend.

2. Test Basic Injection

Input a command that could reveal if the system is processing your input. For example, try inputting ; id or && id in the input field. Submit the form and observe the response. If user identity information is shown in the response, you have identified a command injection vulnerability.

3. Refine the Payload

Use more complex payloads to explore the system. For example, try ; whoami, && cat /etc/passwd, or other commands that can give you more information about the system. Ensure to URL encode the payloads if the input is transmitted via URL parameters.

4. Escalate Privileges

If you have a low-privileged account, try to find ways to escalate privileges. This can involve looking for misconfigurations or exploiting known vulnerabilities.

Example:

Vulnerable Scenario: A web application has a form to search for files. The input is directly passed to a find command on the server.

  • Input: file.txt; ls
  • Result: The server returns a list of files in the current directory, indicating a successful command injection.

Scenario 2: Blind Command Injection

Objective: Identify and exploit a command injection vulnerability where the output of the command is not returned to the user.

1. Identify Input Fields

Similar to regular command injection, look for any input fields that might be processed by the server.

2. Test for Blind Injection

Input a command that produces a side effect, such as a delay. For example, try ; sleep 10 or && sleep 10. Submit the form and observe the response time. A significant delay indicates a successful injection.

3. Use Out-of-Band Channels

Use commands that interact with external systems to confirm the vulnerability. For example, use ; ping -c 10 yourserver.com to generate traffic that you can monitor on your server. Monitor the external server logs to confirm the command execution.

4. Automate the Exploitation

Use tools like sqlmap with the --os-shell option or custom scripts to automate the exploitation of the blind command injection vulnerability. Utilize tools like Burp Suite to help identify and exploit the injection point more efficiently.

Example:

Vulnerable Scenario: A web application has a feedback form where user input is passed to a system command.

  • Input: feedback message; sleep 10
  • Result: The form submission takes significantly longer than usual, indicating a blind command injection vulnerability.

Conclusion

Testing for command injection vulnerabilities involves:

  1. Identifying potential input fields.
  2. Testing with basic payloads and observing responses.
  3. Refining payloads for more information or side effects.
  4. Using out-of-band channels for blind injections.

Regular command injection is straightforward to detect due to immediate feedback, while blind injection requires creative methods to observe side effects or external interactions. Always ensure you have permission to test the target system to avoid legal issues.