 |
| How To Hunt For Command Injection Step by Step (CI)? |
Today we are going to talk about Command Injection (CI) which is the critical vulnerability according to (OWASP TOP 10)
Background Concept of Command Injection:
Operating system command injection vulnerability arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell.
Meta characters to modify the command that is executed and inject arbitrary further commands that will be executed by the server.
Impact of Command Injection
By exploiting a command injection vulnerability an attacker can abuse the function to inject his own operating system commands.This means that he can easily take complete control over a web server.
Example of Command Injection
➤ A common function exists that passes an ip address the user specifies to the system's ping command. Therefore if the user specifies 127.0.0.1 as an ip address, the command will look like this:
ping -c5 127.0.0.1
➤ Since it is possible to break out of the ping command or provoke an eror with useful information the attacker can use this functionality to execute his own commands. An example for adding a second system command could look like this:
ping -c5 127.0.0.1; id
How To find Command Injection?
➤ Use Delimiter to Break or continue the execution of CMDs there
Delimiter List
➤ ; ^ &
➤ &&
➤ ||
➤ %0D
➤ %0A , \n
➤ <
Exploitation of Command Injection
➤ Find a input field whose interacting with operating system shell.
➤ Try to execute and system shell commands with delimiter.
Examples
➤ ;ls
➤ &&ls
➤ ||ls
Practice:
➤ DVWA And Multillidae
➤ Live Site: http://projects.knmi.nl
Note: We can use burp suite for finding parameter flaw to execute Command injection in target website. Again, we will use spider for crawling the website, repeater to modify our codes, and Intruder to brute force attack to the target website.
Command injection is get based so try to find out the parameter with flaw with some value.
Automated tool for Command Injection
Commix is a python based tool to execute OS commands automatically
Command Injection Payloads
lftp
lftpget
link
ln
loadkeys
locale
locate
lockfile
logger
login
logname
logrotate
look
losetup
lpadmin
lpinfo
lpmove
lpq
lpr
lprm
lpstat
ls
lsattr
lsmod
lspci
lsusb
m4
mail
mailq
mailstats
mailto
make
makedbm
makemap
man
manpath
mattrib
mbadblocks
mcat
mcd
mcopy
md5sum
mdel, mdeltree
mdir
mdu
merge
mesg
metamail
metasend
mformat
mimencode
minfo
mkdir
mkdosfs
mke2fs
mkfifo
mkfs
mkfs.ext3
mkisofs
mklost+found
mkmanifest
mknod
mkraid
mkswap
mktemp
mlabel
mmd
mmount
mmove
modinfo
modprobe
more
mount
mountd
mpartition
mpg123
mpg321
mrd
mren
mshowfat
mt
mtools
mtoolstest
mtype
mv
mzip
named
namei
nameif
netstat
newaliases
newgrp
newusers
nfsd
nfsstat
nice
nm
nohup
nslookup
nsupdate
objcopy
objdump
od
openvt
passwd
paste
patch
pathchk
perl
pidof
ping
pinky
pmap
portmap
poweroff
pppd
pr
praliases
printenv
printf
ps
ptx
pwck
pwconv
pwd
python
quota
quotacheck
quotaoff
quotaon
quotastats
raidstart
ramsize
ranlib
rarpd
rcp
rdate
rdev
rdist
rdistd
readcd
readelf
readlink
reboot
reject
rename
renice
repquota
reset
resize2fs
restore
rev
rexec
rexecd
richtext
rlogin
rlogind
rm
rmail
rmdir
rmmod
rndc
rootflags
route
routed
rpcgen
rpcinfo
rpm
rsh
rshd
rsync
runlevel
rup
ruptime
rusers
rusersd
rwall
rwho
rwhod
sane-find-scanner
scanadf
scanimage
scp
screen
script
sdiff
sed
sendmail
sensors
seq
setfdprm
setkeycodes
setleds
setmetamode
setquota
setsid
setterm
sftp
sh
sha1sum
showkey
showmount
shred
shutdown
size
skill
slabtop
slattach
sleep
slocate
snice
sort
split
ssh
ssh-add
ssh-agent
sshd
ssh-keygen
ssh-keyscan
stat
statd
strace
strfile
strings
strip
stty
su
sudo
sum
swapoff
swapon
sync
sysctl
sysklogd
syslogd
tac
tail
tailf
talk
talkd
tar
taskset
tcpd
tcpdump
tcpslice
tee
telinit
telnet
telnetd
test
tftp
tftpd
time
tload
tmpwatch
top
touch
tr
tracepath
traceroute
troff
true
tset
tsort
tty
tune2fs
tunelp
ul
umount
uname
uncompress
unexpand
unicode_start
unicode_stop
uniq
uptime
useradd
userdel
usermod
users
usleep
uudecode
uuencode
uuidgen
vdir
vi
vidmode
vim
vmstat
volname
w
wall
warnquota
watch
wc
wget
whatis
whereis
which
who
whoami
whois
write
xargs
xinetd
yacc
yes
ypbind
ypcat
ypinit
ypmatch
yppasswd
yppasswdd
yppoll
yppush
ypserv
ypset
yptest
ypwhich
ypxfr
zcat
zcmp
zdiff
zdump
zforce
zgrep
zic
zless
zmore
znew
a
arp
assoc
at
atmadm
attrib
bootcfg
break
cacls
call
change
chcp
chdir
chkdsk
chkntfs
cipher
cls
cmd
cmstp
color
comp
compact
convert
copy
cprofile
cscript
date
defrag
del
dir
diskcomp
diskcopy
diskpart
doskey
driverquery
echo
endlocal
eventcreate
eventquery
eventtriggers
evntcmd
exit
expand
fc
filter
find
findstr
finger
flattemp
for
format
fsutil
ftp
ftype
getmac
goto
gpresult
gpupdate
graftabl
help
helpctr
hostname
if
ipconfig
ipseccmd
ipxroute
irftp
label
lodctr
logman
lpq
lpr
macfile
mkdir
mmc
mode
more
mountvol
move
msiexec
msinfo32
nbtstat
net
netsh
netstat
nslookup
ntbackup
ntcmdprompt
ntsd
openfiles
pagefileconfig
path
pathping
pause
pbadmin
pentnt
perfmon
ping
popd
print
prncnfg
prndrvr
prnjobs
prnmngr
prnport
prnqctl
prompt
pushd
query
rasdial
rcp
recover
reg
regsvr32
relog
rem
rename
replace
rexec
rmdir
route
rsh
rsm
runas
sc
schtasks
secedit
set
setlocal
shift
shutdown
sort
start
subst
systeminfo
sfc
taskkill
tasklist
tcmsetup
telnet
tftp
time
title
tracerpt
tracert
tree
type
typeperf
unlodctr
ver
verify
vol
vssadmin
w32tm
winnt
winnt32
wmic
xcopy
So this was the tutorial on Command Injection I hope it would be helpful for you guys to hunt bugs more quickly.
If you have any query you can put in the comment box. If you find any error or mistake please let me know either you can put in the comment section or Email: rajeshsahan507@gmail.com
Thank you happy hunting.
Follow us on
Facebook: Cybersec_broo
Instagram: Cybersec_broo
0 Comments: