Pular para o conteúdo principal

OS Command Injection Vulnerability

Command Injection attack is also known as Arbitrary Code Execution. In Command Injection an attacker generally injects a malicious user input to the system functions which executes system shell commands based on the attacker’s input.
The Command Injection vulnerability occurs when the web applications supplies vulnerable (unsafe) input fields to the malicious users to input harmful (malicious) data such as forms, cookies or HTTP header data.
This attack differs from Code Injection as code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands.

Crafting the attack parameters

This attack is similar to SQL Injection where user could craft the attack by passing defined commands into the user input fields. Shell commands are generally delimited with a semi-colon, that could make easy to chain multiple commands for attack.
Symbol Hash (#) is anything that can be used after a specific word or term to make that phrase as a comment (not readable by the compiler).

Example of Vulnerable Code

<?php echo "Enter the file to be deleted."
$file = $_GET[' filename '];
system(" $file "); ?>

Request:

http://example.com/deletefile.php?filename=file.txt;ls

Response

Enter the file to be deleted.
Hello.txt
Word.txt
Serverone.exe
System.exe
asd.awk
File.l
In the above example we discovered that if the web application is vulnerable to Command Injection, the application will show all the present files in the server after putting semi-colon that ends one command and gives ls command.

Functions leading to Command Injection

After getting in this, we have the following commands that leads to Command Injection attacks:
  • exec()
  • passthru()
  • system()
  • shell_exec()
  • Backtict Operators
Beside all this, /e flag in preg_replace() function also allows for Commands Injection vulnerability. This is the least expected place for Command Injection vulnerability to be detected.
dd

Mitigations

To eliminate the Command Injection vulnerability in any PHP web application, use proper input validation fields that is very necessary, with this the input fields should be sanitized against vulnerable code attempts.
PHP provides two possible commands that can make any web application secure. These commands could be used to sanitize input before passing it to any shell command.
  • Escapeshellarg()
This is used to escape any internal quotes by adding the quotes around the input.
  • Escapeshellcmd()
This is used to interrupt or override execution by escaping all the special characters.

Comentários

Postar um comentário

Postagens mais visitadas deste blog

WiFiPhisher - Ataques Automatizados de Phishing Contra Redes Wi-Fi

Um pesquisador de segurança grego, chamado George Chatzisofroniou, desenvolveu uma ferramenta de engenharia social WiFi que é projetado para roubar credenciais de usuários de redes Wi-Fi segura. A ferramenta, batizada WiFiPhisher, foi lançado no site do desenvolvimento de software GitHub no domingo e está disponível gratuitamente para os usuários.   "É um ataque de engenharia social que não usa força bruta, em contraste com outros métodos. É uma maneira fácil de obter senhas WPA", disse George Chatzisofroniou. No entanto, existem várias ferramentas de hacker disponíveis na Internet que pode cortar de uma rede Wi-Fi segura, mas esta ferramenta automatiza múltipla Wi-Fi técnicas que o tornam um pouco diferente dos outros hackers. Ferramenta WiFiPhisher usa ataque "gêmeo do mal " cenário. O mesmo que o gêmeo do mal, a ferramenta cria primeiro um ponto de acesso sem fio falso (AP) mascarar-se como o legítimo Wi-Fi AP. Em seguida, ele dirige uma negação de...
3 comentários
Leia mais

MKBRUTUS – Brute Force para MikroTik e dispositivos com RouterOS

O MKBRUTUS é uma ferramenta desenvolvida em Python 3 que realiza ataques de força bruta em sistemas (baseados em dicionário) contra RouterOS (ver. 3.x ou superior), que têm a porta 8728/TCP aberto. O MKBRUTUS é uma ferramenta desenvolvida em Python 3 que realiza ataques de força bruta em sistemas (baseados em dicionário) contra RouterOS (ver. 3.x ou superior), que têm a porta 8728/TCP aberto. Desenvolvedores: Ramiro Caire  | ramiro.caire@gmail.com | Twitter: @rcaire Federico Massa | fgmassa@vanguardsec.com | Twitter: @fgmassa Projeto:   github.com/mkbrutusproject/mkbrutus 01 Passo Verifique a versão atual do python em seguida realiza a instalação da versão 3 root@kali:~# python –version (Exibe a versão do Python) root@kali:~# apt-get install python3 (Realiza a instalação do Python 3) 02 Passo Execute o comando de verificação da versão do Python novamente e observe que a versão não mudou mas a instalação da ver...
Postar um comentário
Leia mais

UFONet Open Redirect DDoS Attack

UFONet – is a tool designed to launch DDoS attacks against a target, using ‘Open Redirect’ vectors on third party web applications, like botnet. See this links for more info: https://www.python.org/downloads/ http://pycurl.sourceforge.net/ Installing UFONet UFONet runs on many platforms. It requires Python (2.x.y) and the following library: - python-pycurl - Python bindings to libcurl On Debian-based systems (ex: Ubuntu), run: sudo apt-get install python-pycurl Source libs: Searching for ‘zombies’ UFONet will search on google results for possible ‘Open Redirect’ vulnerable sites. A common query string should be like this: ‘proxy.php?url=’ ‘check.cgi?url=’ ‘checklink?uri=’ ‘validator?uri=’ So for example, you can begin a search with: ./ufonet -s 'proxy.php?url=' At the end of the process, you will be asked if you want to check the list retrieved to see if the urls are vulnerable. Wanna check if they are valid zombies? (Y/n) Also, y...
Postar um comentário
Leia mais