Compel injection is a commencement whereby an wrongdoer’s goal is to effectuate discretionary commands on the web server’s OS via a defenceless web exercise. Bid solution vulnerability occurs when the web application supplies undefendable, vulnerable sign comic to the malicious users to input despiteful assemblage.
During a say shot blast, attacker-supplied OS commands are unremarkably executed with the privileges of the insecure web exertion. Command solution attacks are mathematical largely due to inadequate signal determination. SQL injection and XSS are two specialised forms of order solution attacks.
Injection attacks, specified as SQL and OS solution, become when untrusted aggregation is transmitted to an representative as try of a bid or query. The attacker’s inhospitable collection can legerdemain the intermediator into executing fortuitous commands or accessing accumulation without straitlaced dominance.
OWASP a worldwide not-for-profit resource that offers free and open software focused on improving the software security, lists the injection attack in the 2013 OWASP top 10 web application vulnerabilities list: https://www.owasp.org/index.php/Top_10_2013-Top_10.
Security analysts should be able to recognize the different forms of command injections.
The Linux shell allows multiple commands to be entered on a single command line by separating them with semi-colons. Below is an example of using command injection on a Linux host. (Source: https://www.owasp.org/index.php/Command_Injection.)
Used normally, the catWrapper script will output only the contents of the requested Story.txt file:
$ ./catWrapper Story.txt When last we left our heroes...
By adding a semicolon, followed by another command (like ls in this example), the ls command is executed by the catWrapper script with no complaint:
$ ./catWrapper "Story.txt; ls" When last we left our heroes... Story.txt doubFree.c nullpointer.c unstosig.c www* a.out* format.c strlen.c useFree* catWrapper* misnull.c strlength.c useFree.c commandinjection.c nodefault.c trunc.c writeWhatWhere.c
In terms of web exploitation, command injection is usually possible when a web site allows added strings of characters or arguments without any input validation. The user inputs are used as arguments for executing the command in the web site’s hosting server.
Certain characters are of special significance when inserted into web pages or URL content. These characters are based on the HTML specifications, context, and browser interpretation.
The following example illustrates the use of command injection in an HTTP request:
- When viewing a file in a web application, the file name is often shown in the URL. Normal URL:
http://www.example.com/sensitive/cgi-bin/userData.pl?doc=user1.txt
- The attacker modified the above URL with the command injection that will execute the
/bin/lscommand:http://www.example.com/sensitive/cgi-bin/userData.pl?doc=/bin/ls
Another example, which is shown below, appends a semicolon to the end of a URL for a .php page, followed by the catcommand, to display the /etc/passwd file content. PHP is a powerful scripting language that can be used for building dynamic web pages. PHP is especially suited for server-side web development, where PHP generally runs on a web server.
http://www.example.com/info.php?dir=%3Bcat%20/etc/passwd
%3B and %20 are unicode representations of the actual character. %3B is the unicode that represents a semicolon, and %20represents a space. Unicode is a computing industry standard for the consistent encoding, representation, and handling of text that is expressed in most of the world’s writing systems. Unicode provides a unique number for every character (unicode chart reference: http://unicode.org/charts/PDF/U0000.pdf).
Attackers often obfuscate the text strings in their attacks using unicode. Therefore, analysts should understand how to convert the unicode.
The PHP code can be embedded in the HTML code that makes up the web page. When the end-user browser goes to a web page that contains the PHP code, the web server executes the PHP code. The end user’s browser does not need any special plug-ins or anything else to see the PHP in action.
Below is an example of the PHP script. When this PHP script is called by a web browser, the web server will execute the PHP script and display “CCNA Rules” in the web browser. The <?php and ?> tags start and end the PHP script, and the actual content of the PHP script goes in the middle.
<!DOCTYPE html> <html> <body> <?php echo "CCNA Rules"; ?> </body> </html>
Countermeasures to command injection attacks include the following:
- Command injection attacks can occur when unsanitized, user input is passed and processed. To prevent command injection attacks, application developers should follow the best practices to perform proper user input validation.
- Deploy an IPS solution to detect and prevent malicious command injections.
Leave a Reply