Is this vulnerable?

<<

eyenit0

User avatar

Jr. Member
Jr. Member

Posts: 55

Joined: Wed Sep 01, 2010 2:17 pm

Post Tue Dec 23, 2014 10:45 am

Is this vulnerable?

Can someone tell me if this code is vulnerable to command injection? At first I was sure it was but even though I'm able to enter whatever I want into the command string that gets passed to the System() call through a GET parameter, it doesn't get executed. I thought maybe the quotes around the variables prevented it from being successful?

$cmd = "/usr/bin/php /usr/share/www/execution.php '$user_input' '$option1'";

system($cmd);
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 531

Joined: Sat Sep 08, 2007 7:48 pm

Post Tue Dec 23, 2014 11:25 am

Re: Is this vulnerable?

This looks vulnerable. How does the user's input make it over to the $cmd variable? via a $_POST parameter? Try manipulating the request with a proxy and see if you can change it's value to get a command executed. If you can break out of the quote, you can append (with &&) additional commands that can get executed.

This video will help:
https://www.youtube.com/watch?v=voMQyILvqtI
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1718

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Dec 23, 2014 4:16 pm

Re: Is this vulnerable?

Scratch my previous reply. I'm blind...

That said, can you run the EXACT command on the command-line, on the host, and have it executed?
~ hayabusa ~ 

"All men can see these tactics whereby I conquer,
but what none can see is the strategy out of which victory is evolved."
- Sun Tzu, 'The Art of War'


OSCE, OSCP (Former - GPEN, C|EH - both expiring / expired)
<<

eyenit0

User avatar

Jr. Member
Jr. Member

Posts: 55

Joined: Wed Sep 01, 2010 2:17 pm

Post Tue Jan 06, 2015 2:53 pm

Re: Is this vulnerable?

Sorry for the extremely late reply. Holidays and all that had me spinning in circles. I just got back to this at work today and found that if I edit the PHP and remove the single quotes around $user_input then I can inject a command successfully via that parameter. So I guess those single quotes are protecting the query. I'm not sure if there's a way around that but that's where it stands right now.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1718

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Jan 06, 2015 5:25 pm

Re: Is this vulnerable?

Perhaps magic quotes was in play:

http://php.net/manual/en/security.magicquotes.php
~ hayabusa ~ 

"All men can see these tactics whereby I conquer,
but what none can see is the strategy out of which victory is evolved."
- Sun Tzu, 'The Art of War'


OSCE, OSCP (Former - GPEN, C|EH - both expiring / expired)
<<

eyenit0

User avatar

Jr. Member
Jr. Member

Posts: 55

Joined: Wed Sep 01, 2010 2:17 pm

Post Wed Jan 07, 2015 11:56 am

Re: Is this vulnerable?

Thanks for the suggestion, I hadn't thought of that. I just checked though and it's off. I wonder if there's some sort of other protection somewhere that I can't see. If I run the command from the CLI directly it works fine, but when I pass my input as a parameter it does not. I'll try to dig deeper on it if I can get the time.
<<

jmicgas

User avatar

Newbie
Newbie

Posts: 5

Joined: Tue Jun 09, 2015 7:22 am

Post Tue Jun 09, 2015 7:25 am

Re: Is this vulnerable?

I guess it is not. Unless the code is flagged as malware by your antivirus you are on safer side.

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 2 guests

cron
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software