Command Injections: I Want To learn how to find an RCE bug so Bad!!

Photo by Diana Polekhina on Unsplash

Command Injections: I Want To learn how to find an RCE bug so Bad!!

The Chief - Omar's photo
The Chief - Omar
·

3 min read

Table of contents

Bismillah

In the Second part of yesterday I had some fun around the topic of Command injection, here's a sneaky-pick of what it entails.

Command Injection

text

  • Definition: it is a way for sneaky to abuse an application's behavior so that he can execute commands on the operating system where the application is run.

  • As you'd probably guessed, it is also known as RCE(Remote Code Execution), meaning sneaky can run code on an operating system without accessing the machine physically.

Discovery

man in gray hoodie looking at the sea during daytime

  • To find this bug you have to be aware of how applications use functions to pass data and make system calls to the machine they run on.

  • More on this as I learn more about RCE.

Exploitation

woman in blue and white mask

  • Now, if the functions mentioned above use user input to make or populate the system commands with data, then sneaky can combine this data with some unwanted system calls, think of him trying to learn of the user logged in or the operating system's information.

  • If you're familiar with shell commands then you must know of the following operators(if you don't I'll explain a bit:

    • "&", "&&", ";": can be used to combine two commands(depending on the operating system the machine is running on.

There are 2 ways of detecting the command injection vulnerability:

Blind command injection

  • No direct output is given back to sneaky when he's testing payloads.

  • He should probably look more into the app's behavior to see if the payload was successful.

  • To do this Sneaky needs payloads that cause some form of delay in the system including:

    • "Sleep": the app will sleep/idle for a specified amount of time.

    • "ping": delays depending on the number of pings specified.

  • Sneaky could also consider forcing output by using the "echo >" command; basically appending the results to a specified file.

    • e.g combining a "whoami" command with the "echo >> file_name.txt" to store the results in a file(kindly learn shell basics to know how you can do this).

Verbose Command Injection

  • the application gives direct feedback when sneaky launches his payloads.

  • Since there is a supplied output, here are some payloads Sneaky can use:

  • For Windows:

    • whomai

    • dir

    • ping

    • timeout

  • For Linux:

    • whoami

    • ls

    • ping

    • sleep

Remediating For Command Injection

  • Vulnerable functions: try limiting the number and type of characters the app's functions can accept and process from the user's input.

  • Input sanitization: look into every character the user supplies as input to the application. Be as detailed as possible by including the:

    • Formats

    • Types of data

    • Characters

    • etc(PS: learn RegEx for this one).

For the good hackers --> Bypassing filters:

  • Filters specified by the app's developers will probably sanitize and restrict the type of payloads sneaky can input into the app.

  • Sneaky could abuse the logic behind the app to bypass these.

    • For instance, using hexadecimal of the characters an application strips out to achieve what we'd like to achieve.

That's Enough, TGIF, I hope your Jummuah was awesome.

RCEcommand lineshellshell scriptLinux