Command Injection

If server-side code is making command calls to do thinks like User-Agent lookups, block IPs, grab files, or any other commands are run that are triggered by user activity then these commands should be checked for the possibility of injection attacks.

RCE SQLi is often found in PHP, Python, and Ruby as these server-side languages tend to be used in a more casual manner and pull in more external tooling.

Example:

<?php
    if (isset($_GET['domain'])){
        echo '<pre>';
        $domain = $_GET['domain'];
        $lookup = system("nslookup {$domain}");
        echo($lookup);
        echo '</pre>';
    }
?>

<?php
    if (isset($_GET['domain'])){
        echo '<pre>';
        $domain = escapeshellarg($_GET['domain']);
        $lookup = system("nslookup {$domain}");
        echo($lookup);
        echo '</pre>';
    }
?>

from subprocess import call
call(["nslookup", domain])  //note the use of the array to avoid string concats

system("nslookup", domain)  #only pass arrays to avoid string concats

The developer should escape the get param before passing it to prevent this activity. Most languages will have build in libraries with these escaping functions.

In the above Vuln PHP example the server script takes the domain name from the GET request being made to the server and does an nslookup against the domain. This is an arbitrary example but the concept stands that we could modify certain values that we think might end up in a system command and append our own commands to the end. In the case of Bash this might be along the lines of domain.com && touch /var/www/test.txt; Where we append some sort of call back or flag that we can watch for to see if it worked. In this case we create a test.txt file that would be in the web root which can verify the RCE before trying further attacks (not very stealthy).

PreviousSession Hijacking NextInsecure Deserialization

Last updated 2 years ago