KEMBAR78
command-injection-v3.pdf
OY
Uploaded byOkan YILDIZ
185 views

command-injection-v3.pdf

The document discusses OS command injection, a cyber attack allowing unauthorized system command execution via malicious code injection due to inadequate input validation. It explains the potential consequences of such attacks, including data loss and system compromise, alongside various methods to exploit identified vulnerabilities. Additionally, it outlines preventative measures, emphasizing the importance of input validation, avoiding OS commands, and using secure application frameworks to mitigate the risks associated with command injection.

Download to read offline
Command Injection Talha Eroglu, Okan Yildiz Abstract OS Command Injection is a type of cyber attack that involves injecting mali- cious code into a legitimate system command. This allows the attacker to gain unauthorized access to sensitive information or to manipulate system functions. The attack is possible when an application does not properly validate user in- put, allowing the attacker to insert arbitrary commands that are executed by the operating system. OS Command Injection attack can include data loss, system compromise, and loss of trust in the affected organization. In some cases, the attack can even lead to financial losses or legal repercussions. This article discusses Command Injection attacks, what vulnerable appli- cations are and how to exploit the vulnerability, and finally, how to prevent attacks by writing safe codes.
Contents 1 What is Command Injection ? 3 2 Possible consequences of command injection 4 3 How to exploit example vulnerabilities ? 5 3.1 Detecting vulnerability in first form . . . . . . . . . . . . . . . . 6 3.2 Detecting vulnerability in alternative implementation of first form 7 3.3 Detecting vulnerability in second form . . . . . . . . . . . . . . . 8 3.4 Detecting vulnerability in last form . . . . . . . . . . . . . . . . . 9 3.5 Burp Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.6 One step further, Reverse TCP Shell . . . . . . . . . . . . . . . . 15 4 Vulnerable code examples 16 5 How to prevent command injection ? 17 6 Attempt to exploit more secure code 21 7 References 24 2
1. What is Command Injection ? Command injection is a security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on a server that is hosting an application. Shell injection or OS command injection are other names for command injection. Before deeply diving into ’Command Injection’, we can clarify the distinction between Command Injection and ’Code Execution’ (Code injection) Any attack involving the injection of code that an application interprets or executes is called ”code execution.” The misuse of untrusted data inputs is exploited in this kind of attack. The absence of adequate input/output data validation makes it possible. Code execution attacks have the critical limitation of being bound to the application or system they target. For example, if we ran a successful code execution attack in the test environment, the permissions granted to Python on the host machine would limit us. Let’s talk about command injection, which is the subject of our article, Executing commands in a system shell or other areas of the environment is a standard definition of command injection. Without injecting malicious code, the attacker increases a vulnerable application’s default functionality by passing commands to the system shell. Insufficient input validation leads to OS Command Injection attacks; how- ever, they are only possible if the application code includes operating system calls that have user input combined with the invocation. This vulnerability can occur in every computer program and on any platform. Any language that executes a command through the system shell is susceptible to injection, which can be orchestrated on Windows and Unix systems. For instance, you can find command injection vulnerabilities in router-embedded software, online applications and APIs, server-side scripts, mobile apps, and even the core operating system software. A command injection can compromise the infrastructure of that program, its data, the entire system, associated servers, and other devices. 3
2. Possible consequences of command injection • Network traffic from the target system can be redirected to another system under the attacker’s control, allowing them to intercept and see private information. • Security measures like firewalls and intrusion detection/prevention sys- tems (IDS/IPS) can be avoided using command injection. • The target system may be completely compromised if an attacker can run any code on it. • Using command injection, an attacker can change direction and target dif- ferent systems connected to the same network as the vulnerable machine. • Attackers can alter data on the target system, which might result in lost or inaccurate data. • By injecting malicious commands that use up all the resources available, an attacker can cause a Denial of Service (DoS) to the target system. 4
3. How to exploit example vulnerabilities ? As seen in Figure 1, a web application runs on a virtual machine, accessed from the localhost:8000 port. Functionalities in the application were imple- mented using different libraries and methods. These buttons call OS commands on the host server and provides output to the user. First, we will discuss using suitable payloads for vulnerability detection in var- ious implementations. Payloads vary by host operating system, but in this article, we will only cover Linux and unix-like operating systems. However, since the basic concept is the same, you can access different payloads over the internet. Then, after ensuring the vulnerability exists for each sample, we will see how we can practically test payloads using Burp Suite. Finally, we will discuss Pseudo-terminal, Reverse TCP Shells and summarize the exploitation part. Figure 1: Web application developed in Django 5
3.1. Detecting vulnerability in first form When we enter an IP address using the first button for its intended purpose, we encounter an expected output, as in Figure 2. Figure 2: Submitting IP with Ping button Then we write ’; whoami’ to the search query to check if we can run extra OS Commands, suspecting that user-supplied input is not sanitized. In the red framed output section in Figure 3, we see a new field consisting of a ’dev.’ This is because we bypassed the IP field with ’;’ and executed the ’whoami’ instruction in the host machine. Figure 3: IP 6
3.2. Detecting vulnerability in alternative implementation of first form Now we have another implementation of ping functionality in our web appli- cation. When we try to use ’; unixcommand ’ we confront with error message, ’Invalid IP address form’.In Figure 4. We may be dealing with some input sanitizing here. Therefore, we need to Figure 4: Error message when trying to inject commands bypass this control by changing the inputs accepted by the system. So, first, we try the valid input form; after changing the inputs step by step, we see that the commands added to the end of the proper IP addresses are not stuck in this control. We successfully printed out working directory with ’pwd’ command. In Figure 5. Figure 5: Succesfully bypassing input check 7
3.3. Detecting vulnerability in second form Figure 6: Save form First, we can understand the save form and what it does in the background. With two inputs, it gives the output as ”Your alias saved successfully.” Nothing changes if we try to give OS commands to the Username field (Figure 7). Figure 7: Consistent output But when we use the Alias field for the commands, we also get ’test’ in addition to the success message. We tried to read the passwords in the etc/host/ direc- tory, and although we did not have a decent output, the change in the output gave us a clue that something was wrong here. (Figure 8) Figure 8: Changed output Based on the previous tip, a string manipulation might exist. When we try to execute our command between semi-colons, we see that we can inject the command in Figure 9. We can also get working directory and search for other user inputs. Figure 10 8
Figure 9: Successfully injecting ls command Figure 10: Accessing saved user information with cat command 3.4. Detecting vulnerability in last form We can also execute OS commands by manipulating the URL area in the same way as in other examples. Figure 11: Executing OS commands on DNS Lookup form 3.5. Burp Suite We will use the Ping form while showing the Burp Suite usage step by step. • Open web page and ensure under the Proxy tab, Intercept is on • Give an IP address as input in our web page and submit. • Burp Suite will intercept our request, right click on the Intercepted Raw request and Send To Intruder. 9
Figure 12: Intercepted request 10
• Clear unrelated payload positions with buttons on the right such that we will only have our IP field as payload position. Figure 13: Clearing Payload Positions 11
• Go to Payloads, under Payload Options, load your payload and start the attack. Figure 14: Loading payload file 12
Figure 15: Preview of the payload file. 13
• As seen in the Figure 16, it can be determined which command is working, and you can examine the responses. Figure 16: Attack requests and responses 14
3.6. One step further, Reverse TCP Shell Using Commix (Command Injection Exploiter), we can open a pseudo-shell and then configure a reverse TCP shell on the target machine with the raw intercept file we got from Burp Suite. A reverse TCP shell is a type of shell in which the target machine opens a connection back to the attacking machine. This allows the attacker to control the target machine and access its files, execute commands, and more. It is called ”reverse” because it is the opposite of the more common ”forward” shell, in which the attacker connects to the target machine from their own. It provides the attacker with a wide range of capabilities, including the ability to run arbitrary code, collect system information, and escalate privileges. Figure 17: Pseudo-Terminal in our test environment 15
4. Vulnerable code examples In this part, we will discuss vulnerable code examples and codes we ex- ploited in the previous section. Like other injection attacks, unsanitized user input makes command injection possible. And this is irrespective of the pro- gramming language used. Code examples will be written in Python. The figures below contain the vulnerable codes we exploited in the previous section. Figure 18: First Ping Figure 19: Second Ping 16
Figure 20: DNS Lookup Figure 21: Nickname save 5. How to prevent command injection ? In this part, we will discuss how to prevent command injection, discuss general techniques, and finally share the fixed version of the code we exploit. • Validate and sanitize user input: This includes evaluating all user input to ensure it is in the desired format and free of potentially harmful characters or commands. This can assist in avoiding dangerous code injection into your applications by attackers. • Avoid using OS Commands: Applications should not include codes that utilize operating system commands fed with user-controllable data. There are nearly always safer alternatives for using server-level instructions that attackers can’t manipulate into doing anything other than what they were programmed to do. • Use an up-to-date, secure web application framework: Modern web ap- plication frameworks have built-in protection against frequent injection 17
attacks. To stop these attacks, ensure you are utilizing an up-to-date and secure framework. • Use WAF: By filtering incoming traffic and preventing requests that con- tain harmful code or commands, a web application firewall (WAF) can help to safeguard your applications. This may add another level of de- fense against command injection attacks. • Lastly, informing your users about the dangers of injection attacks and the necessity of only entering reliable information into your applications is crucial. This can lessen the chance of attackers taking advantage of unsuspecting users. To avoid command injection, Use an internal API whenever possible (if one exists) rather than an OS command. Avoid passing user-controlled input wher- ever possible, and if you have to, use an array with a sequence of program arguments rather than a single string. To do this in Python, we must set the subprocess’s shell flag to false. (shell=False’). Because shell=True propagates existing shell settings and variables, using it is risky. Executing OS commands with shell=True makes it considerably more straightforward for a malicious ac- tor to execute commands since variables, glob patterns, and other unique shell features in the command string are processed before the command is launched. On the other hand, when using particular shell features, such as word splitting or argument expansion, shell=True can be useful. If such a feature is necessary, use the various modules available to you instead, such as os.path.expandvars() for parameter expansion or shlex for word splitting. More work is required, but other issues are avoided. In our code, for the ping function, first, we disabled the shell flag for the subprocess.run command. After we added a function to use the ipaddress li- brary, Our IP address is not actually being verified by the ipaddress module. It attempts to generate a Python IP address object using the supplied string. We must develop our IP validation function to apply this reasoning to an IP. 18
After implementing the validate ip function, we add a tested, secure regex to ensure only if the input is a valid IP address. Figure 22: More secure ping function In DNS lookup function, we added nslookup library and avoided usage of OS commands. Figure 23: More secure DNS Lookup function 19
Also in nick function, we used write() and open() instead of OS commands. Figure 24: More secure nick function 20
6. Attempt to exploit more secure code Since we have provided more secure implementation, we can test using the Burp suite as we did in the 3rd section by combining open-source payload ex- amples and payloads that we used previously. Figure 25 Figure 25: Payloads 21
First, we turn intercept on and send our request from the web page. After loading payloads, Figure 26, we start an attack on different forms in our web application. Figure 26: Starting attack with payloads 22
Finally, we can inspect the responses of different payloads and ensure that we did manage to prevent injecting commands to the host OS. Figure 27: Inspecting responses 23
7. References • https://semgrep.dev/docs/cheat-sheets/python-command-injection/ • https://portswigger.net/support/using-burp-to-test-for-os-command-injection-vulnerabil • https://knowledge-base.secureflag.com/vulnerabilities/code_injection/ os_command_injection_python.html • https://thesecmaster.com/what-is-command-injection-vulnerability-and-how-to-prevent-it • https://portswigger.net/web-security/os-command-injection • https://github.com/commixproject/commix • https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess • https://www.stackhawk.com/blog/command-injection-python/ • https://www.shiftleft.io/blog/find-command-injection-in-source-code/ • https://www.abstractapi.com/guides/validate-ip-address-python • https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_ Defense_Cheat_Sheet.html • https://github.com/payloadbox/command-injection-payload-list 24

More Related Content

PDF
Local File Inclusion to Remote Code Execution
byn|u - The Open Security Community
 
PPT
Honeypot-A Brief Overview
bySILPI ROSAN
 
PPTX
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 
PDF
File Inclusion.pdf
byOkan YILDIZ
 
PDF
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
byAbhinav Mishra
 
PPT
SQL Injection
byAdhoura Academy
 
PDF
KGC 2016 오픈소스 네트워크 엔진 Super socket 사용하기
by흥배 최
 
PPTX
Security Testing Training With Examples
byAlwin Thayyil
 
Local File Inclusion to Remote Code Execution
byn|u - The Open Security Community
 
Honeypot-A Brief Overview
bySILPI ROSAN
 
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 
File Inclusion.pdf
byOkan YILDIZ
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
byAbhinav Mishra
 
SQL Injection
byAdhoura Academy
 
KGC 2016 오픈소스 네트워크 엔진 Super socket 사용하기
by흥배 최
 
Security Testing Training With Examples
byAlwin Thayyil
 

What's hot

PDF
Breaking Bad CSP
byLukas Weichselbaum
 
PPTX
Presentation on Web Attacks
byVivek Sinha Anurag
 
PPTX
Waf bypassing Techniques
byAvinash Thapa
 
PDF
CSRF Basics
byn|u - The Open Security Community
 
KEY
DVWA BruCON Workshop
bytestuser1223
 
PPTX
Bug Bounty for - Beginners
byHimanshu Kumar Das
 
PPTX
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
byraj upadhyay
 
PPTX
Owasp zap
bypenetration Tester
 
PPT
Introduction Network security
byIGZ Software house
 
PPTX
Lfi
bypenetration Tester
 
PDF
Security testing presentation
byConfiz
 
PPT
Honeypot honeynet
bySina Manavi
 
PDF
Penetration testing web application web application (in) security
byNahidul Kibria
 
PPTX
Buffer overflow
byEvgeni Tsonev
 
PDF
Nmap tutorial
byVarun Kakumani
 
PDF
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
byAdar Weidman
 
PPT
Sql injection attack
byRajKumar Rampelli
 
PPT
A Brief Introduction in SQL Injection
bySina Manavi
 
PDF
Api security-testing
byn|u - The Open Security Community
 
PPT
Honeypots
byJayant Gandhi
 
Breaking Bad CSP
byLukas Weichselbaum
 
Presentation on Web Attacks
byVivek Sinha Anurag
 
Waf bypassing Techniques
byAvinash Thapa
 
CSRF Basics
byn|u - The Open Security Community
 
DVWA BruCON Workshop
bytestuser1223
 
Bug Bounty for - Beginners
byHimanshu Kumar Das
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
byraj upadhyay
 
Owasp zap
bypenetration Tester
 
Introduction Network security
byIGZ Software house
 
Lfi
bypenetration Tester
 
Security testing presentation
byConfiz
 
Honeypot honeynet
bySina Manavi
 
Penetration testing web application web application (in) security
byNahidul Kibria
 
Buffer overflow
byEvgeni Tsonev
 
Nmap tutorial
byVarun Kakumani
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
byAdar Weidman
 
Sql injection attack
byRajKumar Rampelli
 
A Brief Introduction in SQL Injection
bySina Manavi
 
Api security-testing
byn|u - The Open Security Community
 
Honeypots
byJayant Gandhi
 

Similar to command-injection-v3.pdf

PPTX
Command Injection - critical security vulnerability.pptx
bynanovates
 
PPTX
Command Injection - Ethical Hacking.pptx
bynanovates
 
PPTX
Command injection
bypenetration Tester
 
PDF
Commix Detecting And Exploiting.pdf
byssuser387cf0
 
PDF
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
byrgster
 
PDF
Command injection komal_armarkar
byKomal Armarkar
 
PPTX
Commix
bynullowaspmumbai
 
PDF
Linux Security Crash Course
byUTD Computer Security Group
 
PPT
Threats, Vulnerabilities & Security measures in Linux
byAmitesh Bharti
 
PPTX
Software Security information security
bymubeen arshad
 
PPTX
Cross interface attack
bypiyushml20
 
PPTX
Cross Interface Attacks
byn|u - The Open Security Community
 
PDF
Blindsql
bybig boss
 
PDF
Blindsql
byRitu Raj
 
PDF
RIoT (Raiding Internet of Things) by Jacob Holcomb
byPriyanka Aash
 
PPTX
The internet of $h1t
byAmit Serper
 
PPTX
Ethical hacking Chapter 9 - Linux Vulnerabilities - Eric Vanderburg
byEric Vanderburg
 
PDF
Intro to Exploitation
byUTD Computer Security Group
 
PDF
Backdoor Entry to a Windows Computer
byIRJET Journal
 
PDF
SOHOpelessly Broken
byThe Security of Things Forum
 
Command Injection - critical security vulnerability.pptx
bynanovates
 
Command Injection - Ethical Hacking.pptx
bynanovates
 
Command injection
bypenetration Tester
 
Commix Detecting And Exploiting.pdf
byssuser387cf0
 
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
byrgster
 
Command injection komal_armarkar
byKomal Armarkar
 
Commix
bynullowaspmumbai
 
Linux Security Crash Course
byUTD Computer Security Group
 
Threats, Vulnerabilities & Security measures in Linux
byAmitesh Bharti
 
Software Security information security
bymubeen arshad
 
Cross interface attack
bypiyushml20
 
Cross Interface Attacks
byn|u - The Open Security Community
 
Blindsql
bybig boss
 
Blindsql
byRitu Raj
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
byPriyanka Aash
 
The internet of $h1t
byAmit Serper
 
Ethical hacking Chapter 9 - Linux Vulnerabilities - Eric Vanderburg
byEric Vanderburg
 
Intro to Exploitation
byUTD Computer Security Group
 
Backdoor Entry to a Windows Computer
byIRJET Journal
 
SOHOpelessly Broken
byThe Security of Things Forum
 

More from Okan YILDIZ

PDF
XSS.pdf
byOkan YILDIZ
 
PDF
IDOR.pdf
byOkan YILDIZ
 
PDF
Directory_Traversel.pdf
byOkan YILDIZ
 
PDF
Buffer Overflow - English.pdf
byOkan YILDIZ
 
PDF
Azure Security Check List - Final.pdf
byOkan YILDIZ
 
PDF
IDOR.pdf
byOkan YILDIZ
 
PDF
Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...
byOkan YILDIZ
 
PDF
XSS.pdf
byOkan YILDIZ
 
PDF
VoIP (Voice over Internet Protocol).pdf
byOkan YILDIZ
 
PDF
Buffer overflow
byOkan YILDIZ
 
PDF
Some Kitapçık
byOkan YILDIZ
 
PDF
Sosyal Mühendislik Saldırıları
byOkan YILDIZ
 
PDF
DNS Güvenliği
byOkan YILDIZ
 
XSS.pdf
byOkan YILDIZ
 
IDOR.pdf
byOkan YILDIZ
 
Directory_Traversel.pdf
byOkan YILDIZ
 
Buffer Overflow - English.pdf
byOkan YILDIZ
 
Azure Security Check List - Final.pdf
byOkan YILDIZ
 
IDOR.pdf
byOkan YILDIZ
 
Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...
byOkan YILDIZ
 
XSS.pdf
byOkan YILDIZ
 
VoIP (Voice over Internet Protocol).pdf
byOkan YILDIZ
 
Buffer overflow
byOkan YILDIZ
 
Some Kitapçık
byOkan YILDIZ
 
Sosyal Mühendislik Saldırıları
byOkan YILDIZ
 
DNS Güvenliği
byOkan YILDIZ
 

Recently uploaded

PDF
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
PDF
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
PDF
2025 October Patch Tuesday
byIvanti
 
PDF
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
PDF
Agentic AI Guide for Enterprise Use-cases
byDebmalya Biswas
 
PPTX
Agentic AI Solutions and Services | Aeologic
byankitaeologic
 
PDF
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
PDF
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
PDF
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
PDF
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
PDF
Rivian's Push Notification Sub Stream with Mega Filter by Marcus Kim & Saahil...
byScyllaDB
 
PDF
Using Copilot with Microsoft Office Apps
byDeb Walther
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
PDF
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
PPTX
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
PPTX
CBD Belgium 2025 - The adventures of a Microsoft 365 Platform Owner.pptx
byJasper Oosterveld
 
PDF
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
PDF
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
PDF
KV Caching Strategies for Latency-Critical LLM Applications by John Thomson
byScyllaDB
 
PPTX
"The Art of Web Scraping: Tree Algorithms and JS Magic", Dmytro Tarasenko
byFwdays
 
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
2025 October Patch Tuesday
byIvanti
 
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
Agentic AI Guide for Enterprise Use-cases
byDebmalya Biswas
 
Agentic AI Solutions and Services | Aeologic
byankitaeologic
 
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
Rivian's Push Notification Sub Stream with Mega Filter by Marcus Kim & Saahil...
byScyllaDB
 
Using Copilot with Microsoft Office Apps
byDeb Walther
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
CBD Belgium 2025 - The adventures of a Microsoft 365 Platform Owner.pptx
byJasper Oosterveld
 
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
KV Caching Strategies for Latency-Critical LLM Applications by John Thomson
byScyllaDB
 
"The Art of Web Scraping: Tree Algorithms and JS Magic", Dmytro Tarasenko
byFwdays
 

command-injection-v3.pdf

  • 1.
    Command Injection Talha Eroglu,Okan Yildiz Abstract OS Command Injection is a type of cyber attack that involves injecting mali- cious code into a legitimate system command. This allows the attacker to gain unauthorized access to sensitive information or to manipulate system functions. The attack is possible when an application does not properly validate user in- put, allowing the attacker to insert arbitrary commands that are executed by the operating system. OS Command Injection attack can include data loss, system compromise, and loss of trust in the affected organization. In some cases, the attack can even lead to financial losses or legal repercussions. This article discusses Command Injection attacks, what vulnerable appli- cations are and how to exploit the vulnerability, and finally, how to prevent attacks by writing safe codes.
  • 2.
    Contents 1 What isCommand Injection ? 3 2 Possible consequences of command injection 4 3 How to exploit example vulnerabilities ? 5 3.1 Detecting vulnerability in first form . . . . . . . . . . . . . . . . 6 3.2 Detecting vulnerability in alternative implementation of first form 7 3.3 Detecting vulnerability in second form . . . . . . . . . . . . . . . 8 3.4 Detecting vulnerability in last form . . . . . . . . . . . . . . . . . 9 3.5 Burp Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.6 One step further, Reverse TCP Shell . . . . . . . . . . . . . . . . 15 4 Vulnerable code examples 16 5 How to prevent command injection ? 17 6 Attempt to exploit more secure code 21 7 References 24 2
  • 3.
    1. What isCommand Injection ? Command injection is a security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on a server that is hosting an application. Shell injection or OS command injection are other names for command injection. Before deeply diving into ’Command Injection’, we can clarify the distinction between Command Injection and ’Code Execution’ (Code injection) Any attack involving the injection of code that an application interprets or executes is called ”code execution.” The misuse of untrusted data inputs is exploited in this kind of attack. The absence of adequate input/output data validation makes it possible. Code execution attacks have the critical limitation of being bound to the application or system they target. For example, if we ran a successful code execution attack in the test environment, the permissions granted to Python on the host machine would limit us. Let’s talk about command injection, which is the subject of our article, Executing commands in a system shell or other areas of the environment is a standard definition of command injection. Without injecting malicious code, the attacker increases a vulnerable application’s default functionality by passing commands to the system shell. Insufficient input validation leads to OS Command Injection attacks; how- ever, they are only possible if the application code includes operating system calls that have user input combined with the invocation. This vulnerability can occur in every computer program and on any platform. Any language that executes a command through the system shell is susceptible to injection, which can be orchestrated on Windows and Unix systems. For instance, you can find command injection vulnerabilities in router-embedded software, online applications and APIs, server-side scripts, mobile apps, and even the core operating system software. A command injection can compromise the infrastructure of that program, its data, the entire system, associated servers, and other devices. 3
  • 4.
    2. Possible consequencesof command injection • Network traffic from the target system can be redirected to another system under the attacker’s control, allowing them to intercept and see private information. • Security measures like firewalls and intrusion detection/prevention sys- tems (IDS/IPS) can be avoided using command injection. • The target system may be completely compromised if an attacker can run any code on it. • Using command injection, an attacker can change direction and target dif- ferent systems connected to the same network as the vulnerable machine. • Attackers can alter data on the target system, which might result in lost or inaccurate data. • By injecting malicious commands that use up all the resources available, an attacker can cause a Denial of Service (DoS) to the target system. 4
  • 5.
    3. How toexploit example vulnerabilities ? As seen in Figure 1, a web application runs on a virtual machine, accessed from the localhost:8000 port. Functionalities in the application were imple- mented using different libraries and methods. These buttons call OS commands on the host server and provides output to the user. First, we will discuss using suitable payloads for vulnerability detection in var- ious implementations. Payloads vary by host operating system, but in this article, we will only cover Linux and unix-like operating systems. However, since the basic concept is the same, you can access different payloads over the internet. Then, after ensuring the vulnerability exists for each sample, we will see how we can practically test payloads using Burp Suite. Finally, we will discuss Pseudo-terminal, Reverse TCP Shells and summarize the exploitation part. Figure 1: Web application developed in Django 5
  • 6.
    3.1. Detecting vulnerabilityin first form When we enter an IP address using the first button for its intended purpose, we encounter an expected output, as in Figure 2. Figure 2: Submitting IP with Ping button Then we write ’; whoami’ to the search query to check if we can run extra OS Commands, suspecting that user-supplied input is not sanitized. In the red framed output section in Figure 3, we see a new field consisting of a ’dev.’ This is because we bypassed the IP field with ’;’ and executed the ’whoami’ instruction in the host machine. Figure 3: IP 6
  • 7.
    3.2. Detecting vulnerabilityin alternative implementation of first form Now we have another implementation of ping functionality in our web appli- cation. When we try to use ’; unixcommand ’ we confront with error message, ’Invalid IP address form’.In Figure 4. We may be dealing with some input sanitizing here. Therefore, we need to Figure 4: Error message when trying to inject commands bypass this control by changing the inputs accepted by the system. So, first, we try the valid input form; after changing the inputs step by step, we see that the commands added to the end of the proper IP addresses are not stuck in this control. We successfully printed out working directory with ’pwd’ command. In Figure 5. Figure 5: Succesfully bypassing input check 7
  • 8.
    3.3. Detecting vulnerabilityin second form Figure 6: Save form First, we can understand the save form and what it does in the background. With two inputs, it gives the output as ”Your alias saved successfully.” Nothing changes if we try to give OS commands to the Username field (Figure 7). Figure 7: Consistent output But when we use the Alias field for the commands, we also get ’test’ in addition to the success message. We tried to read the passwords in the etc/host/ direc- tory, and although we did not have a decent output, the change in the output gave us a clue that something was wrong here. (Figure 8) Figure 8: Changed output Based on the previous tip, a string manipulation might exist. When we try to execute our command between semi-colons, we see that we can inject the command in Figure 9. We can also get working directory and search for other user inputs. Figure 10 8
  • 9.
    Figure 9: Successfullyinjecting ls command Figure 10: Accessing saved user information with cat command 3.4. Detecting vulnerability in last form We can also execute OS commands by manipulating the URL area in the same way as in other examples. Figure 11: Executing OS commands on DNS Lookup form 3.5. Burp Suite We will use the Ping form while showing the Burp Suite usage step by step. • Open web page and ensure under the Proxy tab, Intercept is on • Give an IP address as input in our web page and submit. • Burp Suite will intercept our request, right click on the Intercepted Raw request and Send To Intruder. 9
  • 10.
  • 11.
    • Clear unrelatedpayload positions with buttons on the right such that we will only have our IP field as payload position. Figure 13: Clearing Payload Positions 11
  • 12.
    • Go toPayloads, under Payload Options, load your payload and start the attack. Figure 14: Loading payload file 12
  • 13.
    Figure 15: Previewof the payload file. 13
  • 14.
    • As seenin the Figure 16, it can be determined which command is working, and you can examine the responses. Figure 16: Attack requests and responses 14
  • 15.
    3.6. One stepfurther, Reverse TCP Shell Using Commix (Command Injection Exploiter), we can open a pseudo-shell and then configure a reverse TCP shell on the target machine with the raw intercept file we got from Burp Suite. A reverse TCP shell is a type of shell in which the target machine opens a connection back to the attacking machine. This allows the attacker to control the target machine and access its files, execute commands, and more. It is called ”reverse” because it is the opposite of the more common ”forward” shell, in which the attacker connects to the target machine from their own. It provides the attacker with a wide range of capabilities, including the ability to run arbitrary code, collect system information, and escalate privileges. Figure 17: Pseudo-Terminal in our test environment 15
  • 16.
    4. Vulnerable codeexamples In this part, we will discuss vulnerable code examples and codes we ex- ploited in the previous section. Like other injection attacks, unsanitized user input makes command injection possible. And this is irrespective of the pro- gramming language used. Code examples will be written in Python. The figures below contain the vulnerable codes we exploited in the previous section. Figure 18: First Ping Figure 19: Second Ping 16
  • 17.
    Figure 20: DNSLookup Figure 21: Nickname save 5. How to prevent command injection ? In this part, we will discuss how to prevent command injection, discuss general techniques, and finally share the fixed version of the code we exploit. • Validate and sanitize user input: This includes evaluating all user input to ensure it is in the desired format and free of potentially harmful characters or commands. This can assist in avoiding dangerous code injection into your applications by attackers. • Avoid using OS Commands: Applications should not include codes that utilize operating system commands fed with user-controllable data. There are nearly always safer alternatives for using server-level instructions that attackers can’t manipulate into doing anything other than what they were programmed to do. • Use an up-to-date, secure web application framework: Modern web ap- plication frameworks have built-in protection against frequent injection 17
  • 18.
    attacks. To stopthese attacks, ensure you are utilizing an up-to-date and secure framework. • Use WAF: By filtering incoming traffic and preventing requests that con- tain harmful code or commands, a web application firewall (WAF) can help to safeguard your applications. This may add another level of de- fense against command injection attacks. • Lastly, informing your users about the dangers of injection attacks and the necessity of only entering reliable information into your applications is crucial. This can lessen the chance of attackers taking advantage of unsuspecting users. To avoid command injection, Use an internal API whenever possible (if one exists) rather than an OS command. Avoid passing user-controlled input wher- ever possible, and if you have to, use an array with a sequence of program arguments rather than a single string. To do this in Python, we must set the subprocess’s shell flag to false. (shell=False’). Because shell=True propagates existing shell settings and variables, using it is risky. Executing OS commands with shell=True makes it considerably more straightforward for a malicious ac- tor to execute commands since variables, glob patterns, and other unique shell features in the command string are processed before the command is launched. On the other hand, when using particular shell features, such as word splitting or argument expansion, shell=True can be useful. If such a feature is necessary, use the various modules available to you instead, such as os.path.expandvars() for parameter expansion or shlex for word splitting. More work is required, but other issues are avoided. In our code, for the ping function, first, we disabled the shell flag for the subprocess.run command. After we added a function to use the ipaddress li- brary, Our IP address is not actually being verified by the ipaddress module. It attempts to generate a Python IP address object using the supplied string. We must develop our IP validation function to apply this reasoning to an IP. 18
  • 19.
    After implementing thevalidate ip function, we add a tested, secure regex to ensure only if the input is a valid IP address. Figure 22: More secure ping function In DNS lookup function, we added nslookup library and avoided usage of OS commands. Figure 23: More secure DNS Lookup function 19
  • 20.
    Also in nickfunction, we used write() and open() instead of OS commands. Figure 24: More secure nick function 20
  • 21.
    6. Attempt toexploit more secure code Since we have provided more secure implementation, we can test using the Burp suite as we did in the 3rd section by combining open-source payload ex- amples and payloads that we used previously. Figure 25 Figure 25: Payloads 21
  • 22.
    First, we turnintercept on and send our request from the web page. After loading payloads, Figure 26, we start an attack on different forms in our web application. Figure 26: Starting attack with payloads 22
  • 23.
    Finally, we caninspect the responses of different payloads and ensure that we did manage to prevent injecting commands to the host OS. Figure 27: Inspecting responses 23
  • 24.
    7. References • https://semgrep.dev/docs/cheat-sheets/python-command-injection/ •https://portswigger.net/support/using-burp-to-test-for-os-command-injection-vulnerabil • https://knowledge-base.secureflag.com/vulnerabilities/code_injection/ os_command_injection_python.html • https://thesecmaster.com/what-is-command-injection-vulnerability-and-how-to-prevent-it • https://portswigger.net/web-security/os-command-injection • https://github.com/commixproject/commix • https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess • https://www.stackhawk.com/blog/command-injection-python/ • https://www.shiftleft.io/blog/find-command-injection-in-source-code/ • https://www.abstractapi.com/guides/validate-ip-address-python • https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_ Defense_Cheat_Sheet.html • https://github.com/payloadbox/command-injection-payload-list 24