{% extends 'introduction/base.html' %} {% block content %} {% block title %} Command Injection {% endblock %}

Command Injection

What is Command Injection

Command injection is an attack where the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

This lab helps us to understand how command injection is exploitable in scenarios where inputs are sent to exec,eval,sys etc.
The user on accessing the lab is provided with a feature to perform a name server lookup on the given domain. A domain name has to be provided after which the server would perform a ns lookup and return back to the client. If the user is running the lab, based on the OS they can select Windows or Linux.

Exploiting the Bug

  1. Method 1
    • The user can cause the server to execute commands ,because of the lack of input validation.
    • The user can give a domain say domain && [any cmd]
    • In This case lets give google.com && dir and choose windows.
    • This should give you the output for both ns lookup as well as for the dir
  2. Method 2
    • The user can give a domain say domain; [any cmd]
    • In This case lets give google.com; dir and choose windows.
    • This should give you the output for both ns lookup as well as for the dir

Understanding the cause

Lets first see how the name server lookup is performed
command="nslookup {}".format(domain)
Here the domain is the user input domain. This command variable is then sent to exec function and the output is displayed. If the user inputs google.com the command variable will hold nslookup google.com.

How CMD injection works Method 1 Now when the user enters google.com && dir The command variable will hold nslookup google.com && dir. The && means and.
The system will execute nslookup google.com first and then dir
Method 2 When the user enters google.com ; dir The command variable will hold nslookup google.com ; dir. The ; implies the completion of the command before it, in this case the nslookup command.
The system will execute nslookup google.com first and then dir


This is another lab to understand code execution. There are some functions in python such as eval(), exec() which can be used to achieve code execution.

In this lab, we will be learning about the eval() function in python3. The eval() function evaluates the specified expression, if the expression is a legal Python statement, it will be executed.

Challenge Description:
In this challenge, we are given an input box, where we can calculate any arithmetic expression such as 1 + 1 or 5 * 5 etc. Your task is to exploit this input form and achieve command execution on the system.

Challenge Solution:
We know that this application is using the eval() function in the backend to calculate the output. Instead of submitting arithmetic expressions, we can also submit python3 commands, which will be executed by the eval() function.

First, if we submit the expression 1 + 1, we get the output as 2. Similarly, on submitting the expression 7 * 7, we get the output as 49.

Now, if we submit os.system("id"), we get nothing in the output. But if we check the terminal, we will see that the command gets executed and the result is printed on the terminal screen. You can also verify this by submitting os.system("sleep 30"), and you will notice that the request completes after 30 seconds.



Mitigation

{% endblock %}