Command-Injection

https://gitlab.com/jobertabma/vulnerable-code/-/tree/master/command-injection?ref_type=heads

Step 1: Understand the Vulnerability

The PHP script takes user input from the host GET parameter.
It directly passes this input into the shell_exec function to execute a ping command without any input sanitization.

Step 2: Create and Run the Bash Script

Create the Bash Script: Create a file named runcomand.sh and add the provided Bash script to it.

#!/bin/bash

echo $1 > _tmp/strip

php -S 127.0.0.1:8080 -t command-injection &

open 'http://127.0.0.1:8080/?host=127.0.0.1; cat /etc/passwd'

wait

Explanation of the Script:

echo $1 > _tmp/strip: This line is just an example of writing some input to a file, it doesn't affect the exploitation.
php -S 127.0.0.1:8080 -t command-injection &: This starts a PHP built-in web server on 127.0.0.1:8080, serving files from the command-injection directory.
open 'http://127.0.0.1:8080/?host=127.0.0.1; cat /etc/passwd': This opens the URL in a web browser, with the host parameter set to 127.0.0.1; cat /etc/passwd. This injects the cat /etc/passwd command after the ping command, exploiting the command injection vulnerability.
wait: This waits for the background processes to finish.

2 . Make the Script Executable: Change the script's permissions to make it executable.

chmod +x runcomand.sh

3. Run the script:

Manually Testing the Exploit:

You can also test the exploit manually by starting the PHP server and accessing the URL in your web browser.

run the PHP server:

php -S 127.0.0.1:8080 -t /path/to/command-injection

Open your browser and go to:

http://127.0.0.1:8080/?host=127.0.0.1; cat /etc/passwd

By doing this, the cat /etc/passwd command will be executed, and the contents of the /etc/passwd file will be displayed on the webpage, demonstrating the command injection vulnerability.

Expected Outcomes:

The expected outcome of exploiting the command injection vulnerability in the provided PHP code is that the contents of the /etc/passwd file will be displayed in the web browser. The /etc/passwd file on Unix-like operating systems contains user account information.

The cat /etc/passwd command is executed on the server, and its output is sent back to the web browser. This confirms that the server is vulnerable to command injection and demonstrates the potential risk of allowing unsanitized user input to be passed directly to system commands.

PreviousBlind-SQL-Injection NextCross-Origin Resource Sharing (CORS)

Last updated 1 year ago