Command Injection
What is a command injection?
A command injection is a vulnerability that can be on found on any application that has access to the system. In a web application, a command injection occurs when the server uses an user’s input to execute a command on the system without sanitization. The system will use this command in a shell and send the result to the server, which sends it back to the user.
Impact
Having access to the server’s operating system, the command injection can have very serious consequences.- Exfiltration of files: A hacker can send files back to their browser, which can allow them to see the site’s source code and find other vulnerabilities, or display database.
- Modification of files: In addition to exfiltration, the hacker can edit and delete files.
- System overload: By launching specific commands, it is easy to crash a system.
- Installing a backdoor: The hacker can create files in the server and insert a code to reconnect when they want to enter commands much more easily.
Demonstration
1. A php ping form’s basic use
In order to show how to exploit a command injection, I will use a form on a web page to enter a domain name and retrieve information such as the date of creation, the mail and the phone number of the owner, etc.2. Vunerability detection
3. Exploitation of the injection
- whoami: It lets you know the user who executed this command.
- pwd: It returns the folder in which the user is located.
- ls -la [folder]: It shows the different files in a folder. the option -la allows you to add hidden files to the result and display properties (owner, execution right, date of creation, etc.).
OWASP’s recommendations
To prevent command injections, The OWASP gives following advices:
- Avoid using system command: There is a function, which often works as a system command, and it’s more secure to use this.
- Escaping malicious pattern: With functions like escapeshellarg() with PHP which sanitizes user’s input.
- Use a whitelist for allowed values: This will restrict user’s input and avoid all command injections if it is well configured.
R&S®Cloud Protector versus command injection
To counter the injections of commands, R&S®Cloud Protector offers several solutions:
- Detection of escaping characters and commands:
R&S®Cloud Protector will browse the input commands and block those that contain the different operators to add arbitrary commands, as seen in the practical case. At the same time, R&S®Cloud Protector will also check if one of the query’s words is executable (Windows – Linux) and block it if necessary.