search

Examples

hashtag
In Band

circle-check

In-Band CI occurs when the attacker can directly insert and execute malicious commands in a web application or system’s input fields or parameters, using the same channel to both send commands and receive outputs.

hashtag
Simple Payload

The example below is based on TCM's Practical Bug Bountyarrow-up-right course.

The application takes our input and passes it into a curl command which is then grepped (Figure 1.1). We can start simple by just appending a command using ;, but this gives no output (Figure 1.2). Next, we can try commenting out the grep part by using # (Figure 1.3).

Figure 1: A basic example of a command injection attack.

We can also try to achieve RCE by first checking what technology is used on the application and then getting a payload from a repository such as PayloadAllTheThingsarrow-up-right (Figure 2).

Figure 2: Achieving RCE.

hashtag
Complex Payload

The example below is based on TCM's Practical Bug Bountyarrow-up-right course.

The application we need to test tracks the fleet vehicle's coordinates and calculates the distance between its current position and its destination (Figure 3).

Figure 3: Undestanding the application's functionality.

We have two fields that are directly inputted within the executed command. We can start by trying to manipulate the second field first (Figure 4).

Figure 4: Executing a successful CI attack.

We can achieve RCE with the same logic using the previously used payload (Figure 5).

Figure 5: Achieving RCE via a CI vulnerability.

hashtag
Blind

circle-check

Blind CI occurs when the attacker does not see the output of the injected commands directly. Instead, they infer the success or failure of the commands through side effects or indirect responses.

The example below is based on TCM's Practical Bug Bountyarrow-up-right course.

This time we have the same Network Checker app, but the previous attack does not work (Figure 6.1). Either something gets filtered, which we can check (Figure 6.2 & 6.3), or we the command is executed but we don't get any output on the front-end.

Figure 6: An unsuccessful CI attack.

We can try a payload that alters the application's behaviour (similar to Blind SQLi) and see if this works. This can be tested with Burp Suite's Repeater, as it shows the response time in the bottom right corner (Figure 7).

Figure 7: Confirming a blind CI vulnerability.

We also use time and curl to measure the response time within the CLI.

Next, we can achieve RCE by spawning up a web server and passing the desired command as a parameter (Figure 8).

Figure 8: Achieving RCE via a blind CI vulnerability.

hashtag
Capabilities Recon

When we achieve RCE, we can enumerate the target for useful binaries. The w00tw00t was added to the wordlist as an example of what the response of a non-existing binary looks like.

Based on the above results, the response 491 can be filtered out.

hashtag
Reverse Shell

Next, we can try sending a reverse shell from the target to our attack host.

hashtag
File Transfer

If the target is hardened and we are unable to get a reverse shell, we can try downloading a binary to the target ourselves. In the example below, we download the netcat binary, make it executable, and then execute a reverse shell payload.

hashtag
Webshell

If we don't have access to unique binaries and we know the technology that the application uses, we can write our own backdoor. We first need to find the present working directory via the CI vulnerablity (Figure 9).

Figure 9: Enumerating the present working directory.

We can create a payload that creates a PHP webshell under the webroot.

Next, we can interact via our webshell.

PreviousCINextFilters

Last updated