Blind Command Injection - It hurts

Summary :

Command Injection is a type of attack that executes arbitrary commands on the host operating system. Command injection happens when an application passes an unsafe user supplied data to a system shell. Command injection is possible due to insufficient input validation.

Generally it is tough to find command injection but luckily I found one few months ago. I noticed something weird with the GET parameter /?search= when I was testing for command injection. I tested so many payloads but nothing worked.

When I checked the response in burp suite it said “this object will store some %symbols% in the javascript space, so that libs can read them” so I thought it might be a blind command injection so I used tcpdump to find it out. Tcpdump comes pre-installed in kali linux.

How to find this vulnerability ?

  1. Go to your target website and check for some common parameters (in my case it was /?search=)

2. I tried injecting a payload by simply using a pipe operator but I didn’t get any response, it was a normal 200 OK

3. I used so many payloads for testing but only one worked which was a bypass using null byte character

4. I started tcpdump on kali because I knew that it was a blind command injection

You can use payloads from here : https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection

My custom payload that worked : http://www.mytarget.com/?search=%00{.exec|ping <MyIP>

You can also use wireshark instead of tcpdump for checking blind command injection

Though I found this command injection after a lot of efforts it was a duplicate of another report on a private program :( .

Some Common Parameters For Testing Command Injection :

/?query=
/?email=
/?id=
/?username=
/?user=
/?to=
/?from=
/?search=
/?query=
/?q=
/?s=
/?shopId=
/?blogId=
/?phone=
/?mode=
/?next=
/?firstname=
/?lastname=
/?locale=
/?cmd=
/?sys=
/?system=

There is a good tool on github for detecting command injection vulnerabilities automatically.

Link : https://github.com/commixproject/commix

Commix is an automated tool written by Anastasios Stasinopoulos that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.

Mitigation : To prevent Command Injections, never call out to OS commands from application-layer code.

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|