The dynamic Web
applications may make the most of scripts to call up some functionality in the
command line on the web server to process the input that received from the
client and unsafe user input may led to OS command injection. OS Command injection is refer as shell
injection attack arise when an attacker try to perform system level commands
through a vulnerable application in order to retrieve information of web server or try to make unauthorized access
into server .
Impact Analysis
Impact: Critical
Ease of Exploitability: Medium
Risk Rating: High
In this
attack the attacker will inject his unwanted system level command so that he can
fetch the information of web server; for example: ls , whoami , uname -a and etc.
Let’s
consider a scenario where web application allows user to PING an IP other user
so that it get confirms that the host connection is alive. Through given
screenshot it is clear what will be output when host IP will submit.
Verify parameters to inject data
The following parameters should be tested for command
injection flaws, as the application may be using one of these parameters to
build a command back at the web server:
·
GET:
In this method input parameters are sent in URLs.
·
POST:
In this method, input parameters are sent in HTTP body.
·
HTTP
header: Applications frequently use header fields to discover end users and
display requested information to the user based on the value in the headers.
Some of the important header fields to
check for command injection are:
·
Cookies
·
X-Forwarded-For
·
User-agent
·
Referrer
METACHARACTER
Using vulnerability scanner attacker come to know that
current web application is vulnerable to command injection and try injecting
system level unwanted command using Meta character.
Metacharacter
are symbolic operators which are use to separate actual command from unwanted
command. The ampercent (&) was used as a separator that would divide the authentic
input and the command that you are trying to inject.
It will more
clear in following image where attacker will inject his payload dir using metacharacter that retrieve present directory of
web server.
As result it will
dump following output as shown in given image where it has validated wrong user
input.
OS Command Injection Operators
The developer
possibly will set filters to obstruct the some metacharacter. This would block
our injected data, and thus we need to try out with other metacharacters too,
as shown in the following table:
|
Operators
|
Description
|
|
;
|
The
semicolon is most common metacharacter used to test an injection flaw. The
shell would run all the commands in sequence separated by the semicolon.
|
|
&
|
It separates multiple commands on
one command line. It runs the first command then the second command.
|
|
&&
|
It runs the command following && only if the preceding command is
successful
|
|
||(windows)
|
It run the command following ||
only if the preceding command fails. Runs the first command then runs the
second command only if the first command did not complete successfully.
|
|
|| ( Linux)
|
Redirects standard outputs of the
first command to standard input of the second command
|
|
‘
|
The unquoting metacharacter is used
to force the shell to interpret and run the command between the backticks.
Following is an example of this command: Variable= "OS version `uname
-a`" && echo $variable
|
|
()
|
It is used to nest commands
|
|
#
|
It is used as command line comment
|
Steps to exploit – OS Command Injection
Step 1: Identify the input field
Step 2:
Understand the functionality
Step 3: Try
the Ping method time delay
Step 4: Use
various operators to exploit OS command Injection
Type of Command Injection
Error based injection: When attacker injects a command through an input
parameter and the output of that command is displayed on the certain web page,
it proof that the application is vulnerable to the command injection. The
displayed result might be in the form of an error or the actual outcomes of the
command that you tried to run. An attacker then modifies and adds additional
commands depending on the shell the web server and assembles information from
the application.
Blind based Injection: The
results of the commands that you inject will not displayed to the attacker and
no error messages are returned it similar as blind SQL injection. The attacker
will use another technique to identify whether the command was really executed
on the server.
Mitigation-OS Command Injection
·
Strong server side validation
·
Implement a white list
·
OS Hardening
·
Use build in API’s for
interacting with the OS if needed. More secure!!
·
Avoid applications from calling
out directly the OS system commands
0 comments:
Post a Comment