Tips for an Information Security Analyst/Pentester career - Ep. 24: command injection

According to OWASP definition, command injection is "an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

This attack differs from Code Injection, in that code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands".

DVWA contains a demonstration of this vulnerability through a page allowing to attach extra content to an input field.

This page is supposed to allow pinging a host on the network.

Due to the lack of input validation, though, we can attach arbitrary commands to the IP address supposed to be pinged, by using  "; " for UNIX/Linux and "&&"  for Windows systems.

I installed the application on  a Ubuntu virtual machine, so I used the first method to try viewing the /etc/shadow file.

I was unsuccessful, very likely due to lack of appropriate permissions.

However, I was able to view the /etc/passwd file and also the IP configuration for Damn Vulnerable Web Application, through ifconfig command.

Last but not least, I wanted to check my initial guess by appending the whoami command to the input field and, like I guessed, I was logged in as an ordinary user (daemon).

Wrap-up

DVWA demonstrates efficiently and visually how impactful the consequences of a lacking input validation, both on the client and on the server side, can be.

I know this isn't a real-world scenario, but reality can sometimes go beyond any wildest imagination, so we should rather say this stuff shouldn't be supposed to happen, but sometimes it does nonetheless.

Episode 25

Episode 23