Analytics Vidhya
Published in

Analytics Vidhya

Part2: Securing web apps — command execution + firewall

This article helps in building a understanding of how to create firewall rules for webapp, how command execution works, and secure programming.

In Previous article, we deactivated firewall and SELinux policies in our system. That is obviously a bad practice.

Stopped firewall service
stopped selinux

So now we will bring firewall back into action.

$ sudo systemctl start firewalld
started firewalld

First, let’s try understanding firewalld here. (https://firewalld.org/documentation/man-pages/firewalld.html)

Now we have a idea of how this firewall works … Time to make a rule to allow http services through it.

This can be done easily by firewall-cmd ( https://firewalld.org/documentation/man-pages/firewall-cmd.html )

$ sudo firewall-cmd --add-service=http --permanent

Running the above command will give you a success.
Now firewalld will allow any packet to go through which belongs to http service and is authenticated.

after activating firewall (selinux still in permissive mode)

We’ll not activate the SELinux policies for this course to keep things easy and simple. To make a good understanding of what SELinux is and how it works read this and this.

In this article, I’ll be focusing on command execution vulnerability.
Command injection is basically injection of operating system commands to be executed through a web-app.

Now let’s check if our app is vulnerable to command execution or not by passing this input to it.

8.8.8.8;echo “bang bang”;
“bang bang” echoed in last line

Yoohooo… looking at the output above we are sure that echo “bang bang” had executed succesfully.

let’s try some more commands now.

6.6.6.6;id
id execution highlighted

Now let’s try to create a file in remote server.

8.8.8.8;echo “batman_was_here” >knock_knock.txt

It seems like we don’t have enough permissions to create a file here.
But wait … aren’t there dedicated folders in every OS for temporarily created files and folders? Oh yes! there it is.

In Linux/Unix platforms, /tmp directory has full permissions. Basically, it’ll allow me to read, write, and execute anything from that directory.

drwxrwxrwt. 19 root root 4096 Mar 27 09:40 tmp

So let’s give it a try.

8.8.8.8;echo “batman_was_here” >/tmp/knock_knock.txt

This didn’t gave any error. That means it executed succesfully.
Let’s try to read the file here.

8.8.8.8;cat /tmp/knock_knock.txt

This is very bad as a hacker can create, read and execute files from our server.

Enough of having fun with the weak. Let’s try to stop it.
For that we’ll need to modify our code to check for potentially malicious characters like below in our input.

;
&
|
`

Now our LOGIC CODE section looks like this.

## LOGIC CODE
import subprocess as sb
import cgi
data = cgi.FieldStorage() # read the field Storage or mini field storage for the cgi scriptif data.getvalue(“target_ip”):
data_target_ip = data.getvalue(“target_ip”)
else:
data_target_ip = “8.8.8.8” # default set to google DNS
#SANITIZE INPUTdata_target_ip = data_target_ip.replace(“;”,””).replace(“&”,””)
data_target_ip = data_target_ip.replace(“|”,””).replace(“`”,””)
cmd_status = sb.getoutput(“sudo ping -c 3 “+data_target_ip)
cmd_status = cmd_status.replace(“\n”,”<br>”)

Let’s try if our app is still processing the malicious input.

8.8.8.8;echo “bang bang”;

Now our app is secure from such malicious inputs.. But complete security is still a myth.
There are some strings which can still be malicious. (Those are not in the scope of this article)
But there is still something you should be curious about. It will help you in understanding those advanced malicious strings better.

Look at the above image carefully.. I’ve provided a complete integer to ping command and it got converted to an valid IP. These type of notations are called integer notations for IP.

But there is something more to this…

Carefully look at these above IP patterns and I am sure you’ll get some new insights.

If you want to read more about command execution, Go here(https://owasp.org/www-community/attacks/Command_Injection).

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store