x

Blind Command Injection

Blind Command Injection is a type of attack where the attacker cannot directly see the output of the executed command. Instead, they infer the success or failure of the command execution through other means, such as server response time, error messages, or external actions.

PHP code takes the host parameter from an http request via GET and uses the shell_exec function to execute a ping command with the input on the OS. 

<?php

$host = $_GET['host'];

$ping_result = shell_exec("ping -c 1 " . $host);

if (strpos($ping_result, '1 packets received') !== false) {
    echo "Host is accessible!";
} else {
    echo "Host is unreachable!";
}
?>

To test, something like sleep 10 to manipulate the server's response time is worth testing.

A web application that stores the User Agent information of the browser for keeping visitor records is under investigation. Considering that this information might be taken from the User-Agent header, which attackers can manipulate, the presence of a Command Injection vulnerability is evaluated.

The Command Injection payload sent and the result of the shell command is not reflected in the content. 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36

User-Agent header is manipulated and response 

User-Agent: '; sleep 10'

The guesswork suggests that there might be a code like "echo '$userAgent' >> ./logs/user_agent.log" running in the background. When the payload is executed in the code, it would look like this: "echo ' '; sleep 10' ' >> ./logs/user_agent.log"

By controlling the User-Agent header sent by the client, this data is written to a file via a shell command without verification. If malicious user commands are appended, these commands can execute in the shell and potentially damage the system. 

<?php
  $userAgent = $_SERVER['HTTP_USER_AGENT'];

  $command = "echo '$userAgent' >> ./logs/user_agent.log";

  exec($command);
?>

This code snippet takes the client's User-Agent header and appends it to a file using an echo command executed on the operating system.

Using escapeshellarg() mitigates the issue. The User-Agent header is converted into a safe command argument using the escapeshellarg() function. 

<?php
  $userAgent = $_SERVER['HTTP_USER_AGENT'];

  $safeUserAgent = escapeshellarg($userAgent);

  $command = "echo $safeUserAgent >> ./logs/user_agent.log";

  exec($command);
?>
Left-click: follow link, Right-click: select node, Scroll: zoom
x