OS command injection, simple case Write-up
To access the lab visit the following link
This lab contains an OS command injection vulnerability in the product stock checker.
The application executes a shell command containing user-supplied product and store IDs, and returns the raw output from the command in its response.
Target goal
To solve the lab, execute the whoami command to determine the name of the current user.
Whoami
The “whoami” command in Linux is used to display the username of the currently logged-in user.
In-band command injection
The raw output from the command is returned in its response in the web application so it is an In-band command injection.
Access the lab
Click on the given button to access the lab
Burp suite
I have started burp suite community edition with the web application side by side.
Route Traffic Through Burp Suite
Now, we will set proxy to burp. FoxyProxy allows us to easily switch browser’s proxy settings to route web traffic through Burp Suite which is crucial for intercepting and inspecting HTTP requests and responses.
Intercepting Traffic
We have turned on the intercept feature in the proxy settings of burp suite which will ultimately enable Burp suite’s proxy server to intercept and inspect HTTP request and response between our web browser and the target web application.
Click on “view details” button under any product on the web application and we can see the traffic is intercepted.
Turn intercept off and go to HTTP History.
In HTTP History we can see response of all the requests we made.
Identify Vulnerability
In the beginning of lab we saw that it contains an OS command injection vulnerability in the product stock checker. So, Lets click on check stock.
As soon as we clicked on check stock, a POST request gets highlighted in the Burp suit HTTP history tab.
Click on that request and it will show raw data. Lets send that to repeater. You can do it by clicking right on the raw data and select “Send to Repeater” option as shown in the image below.
Performing OS command Injection
In order to perform command injection lets move to repeater tab in burp suite and we can see the post request which we sent to repeater in the last step. We can see that the request takes two parameters “productId and storeId” (highlighted red in the image below).
Sending injection request
We are not sure whether both parameters are vulnerable to command injection or if only one of them is so inject command “& whoami”. The & character allows to chain commands together. We don’t know how the web application interpret commands at the backend so we will select command and press CTRL +U to encode it and click on send button (highlighted at the top left corner in the image below) to send request.
Response
The web application responded with an error saying that the backend script has error in line 5 unbound variable (Highlighted in green rectangle in the above image). This occurred because the script takes two variables and we have added another command in between them.
Modified injection request
So, Lets comment out the second variable and send the request again. You can do it by adding # character before “storeId” as shown in the image below.
Response
And here we go, see the response tab in the above image. The command is successfully executed in the backend and we got the username. On other side the lab is also marked as solved. Mission accomplished!
Vulnerability Assessment
Lets find out what made OS command injection possible in this web application. To do that we know that initially when we sent request without commenting out the second variable we got the error in response and it displayed the path of bash script running in the backend.
Lets check if we can display the script by injecting “cat /home/peter-4xaLwn/stockreport.sh” command. Again we will use & character to chain cat command with “whoami” command as shown in the image below.
As we can see that script uses eval command without proper validation and it allowed execution of arbitrary code and that was the reason which made it vulnerable to OS command Injection attack. To avoid such vulnerabilities, it’s crucial to sanitize and validate any input before using it with eval. It’s generally best to avoid using eval altogether, especially when dealing with untrusted data
To view write-up of second lab in Command Injection series visit the following link:
Happy Hacking!
