Log in / Register
Home arrow Computer Science arrow Understanding Network Hacks
< Prev   CONTENTS   Next >

7.10 Command Injection

Command injection attacks are very similar to SQL injection attacks. A command injection attack is possible if a program on the web server accepts unfiltered or badly filtered input that gets executed as a shell command.

This kind of attack was famous at the end of the 1990s/beginning of year 2000, but has rapidly decreased with the years due to massive use of frameworks and API extensions of the programming languages. Some time ago it was far easier to send a mail by executing os.system("echo "' + msg + "' mail user")|, but today one uses libraries such as smtplib.

The problem of command injection is exactly the same as in SQL injection: The user is allowed to insert characters that have a special meaning for a subsystem, in this case a shell. Here the following chars should be mentioned like ;, |, && and || to concatenate commands, < and > to redirect program output and # to comment out code.

An e-mail message into the above example consisting of hacker::0:0:root:/root:/bin/zsh' > /etc/passwd # would add a new root user named hacker without any password if the webserver or the called script runs as root thus the executed shell command is:

echo 'hacker::0:0:root:/root:/bin/zsh' > /etc/passwd #' |mail user

Today, command injections can mostly only be found in embedded devices such as switches, printer, home router or surveillance cameras. This is because they often execute commands directly on the OS level to display data to the user or activate system configuration changes. This leaves command injection attacks still attractive, even more so because sys admins do not update embedded devices as frequently as normal systems. They seem to think of them as only hardware and overlook the fact that they run code that is accessible over the net. Additionally most admins will not trust his or her intrusion detection logs if it reports that the printer or surveillance camera on the front door has attacked the primary domain controller with a brute force attack. A failure with possibly high risk. Embedded devices have enough CPU power, ram and disk space as a few years old PC and a keen attacker will discover them as one of the first “low-hanging fruits” and grab them. Let us scan the security of the embedded devices plugged into your network! Here also applies: An automatic scan can never be as good as a manual audit and will only find the most obvious flaws.

The code of the command injection scanner is nearly the same as the one of the SQL injection example. Therefore only the difference gets printed here.

1 #!/usr/bin/python


3 ###[ Loading modules


5 import sys

6 import httplib2

7 from urlparse import urlparse

8 from BeautifulSoup import BeautifulSoup



11 ###[ Global vars


13 max_urls = 999

14 inject_chars = ["|",

15 "&&",

16 ";",

17 ''']

18 error_msgs = [

19 "syntax error",

20 "command not found",

21 "permission denied",

22 ]


24 # ...

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science