Command Injection

What is a command injection?

A command injection is a vulnerability that can be on found on any application that has access to the system. In a web application, a command injection occurs when the server uses an user’s input to execute a command on the system without sanitization. The system will use this command in a shell and send the result to the server, which sends it back to the user.

Executing a command on the Shell of a server with user input can seem to be weird. The main advantage is the ability to use a command available on the operating system which does not have any equivalent on the server’s language. Shell commands are also very flexible and have a lot of options.

There is a lot of time which can be saved by using Shell commands rather than recoding it.

Impact

Having access to the server’s operating system, the command injection can have very serious consequences.

Exfiltration of files: A hacker can send files back to their browser, which can allow them to see the site’s source code and find other vulnerabilities, or display database.
Modification of files: In addition to exfiltration, the hacker can edit and delete files.
System overload: By launching specific commands, it is easy to crash a system.
Installing a backdoor: The hacker can create files in the server and insert a code to reconnect when they want to enter commands much more easily.

There are a lot of possibilities of exploitation, a shell can execute a large number of commands. The dangerousness is directly related to the configuration of the server. If it is possible to perform a privilege escalation to the admin user, the hacker will have the capacity to do everything they want.

Demonstration

1. A php ping form’s basic use

In order to show how to exploit a command injection, I will use a form on a web page to enter a domain name and retrieve information such as the date of creation, the mail and the phone number of the owner, etc.

Loris is the hacker in this example.

He first writes “google.com” in the form’s input.

When he clicks on the button, the server will have access to the input and will execute it on its system.

When the execution is finished, the server will send the output to the user.

Here you can see what is displayed:

When Loris sees that, he understands that the “whois” command was used.

2. Vunerability detection

To understand how to test a command injection, you need to know the structure of a command. Let us take the example of Linux because it’s a very common operating system for servers.

By following this pattern, we can deduce the command that the server processed:

Loris will then add a character at the end of the command to be able to add his own.

The most sensible choices here are the “;” and the “|” because they are not subject to a condition.

All that remains is to add a command to test. He will use “echo”, which returns the argument that has been passed to him.

Loris enters his payload in the form of the site and finds “test” written at the bottom of the page.

3. Exploitation of the injection

Now that the vulnerability has been confirmed, Loris will be able to exploit it.

In this example, without any protection of the user input, it is possible to perform many actions. It all depends on what is wanted by the hacker.

Here we present some commands that could be used by Loris to understand the environment.

whoami: It lets you know the user who executed this command.
pwd: It returns the folder in which the user is located.
ls -la [folder]: It shows the different files in a folder. the option -la allows you to add hidden files to the result and display properties (owner, execution right, date of creation, etc.).

Loris chooses to use “wget” command, which is used for downloading a file from an URL. It will allow him to install a backdoor script. He will also get the execution rights and then run it.

The backdoor is running. Loris just has to connect to the backdoor on the server.

Loris has an access to a shell on the server, which allows him to be faster in the exploitation.

If a MongoDB is running and misconfigured, he just needs to enter the following command to display the databases.

From here, Loris can extract all the data like the different usernames and passwords. He can also remove them.

OWASP’s recommendations

To prevent command injections, The OWASP gives following advices:

Avoid using system command: There is a function, which often works as a system command, and it’s more secure to use this.
Escaping malicious pattern: With functions like escapeshellarg() with PHP which sanitizes user’s input.
Use a whitelist for allowed values: This will restrict user’s input and avoid all command injections if it is well configured.

R&S®Cloud Protector versus command injection

To counter the injections of commands, R&S®Cloud Protector offers several solutions:

Detection of escaping characters and commands:

R&S®Cloud Protector will browse the input commands and block those that contain the different operators to add arbitrary commands, as seen in the practical case. At the same time, R&S®Cloud Protector will also check if one of the query’s words is executable (Windows – Linux) and block it if necessary.

In this example, the “;” character and the command “ls-la” will be detected. Therefore, the query will be blocked and redirected.