Intro into Web Hacking - Command Injection

Command injection is the abuse of an application’s behavior to execute commands on the operating system with the same privileges as the user who is running the application on the server.

It is also called as Remote Code Execution.

<?php
$songs = "/var/www/html/songs"

if(isset $_GET["title"]){
		$title = $_GET ["title"];
		$command = " grep $title /var/www/html/songtitle.txt";
		$search = exec($cnd);
		if ($search == ""){
				$return = "<p> The requested song </p><p> $title does </p><b> not</b><p>exist!</p>;
		} else {
				$return = "<p> The requested song </p><p> $title does </p><b>exist!</b>;
				}
				
				echo $return;
		}
		?>

In this the title of the song is an input to the program from the user, the program then uses the title and search the file using grep. Here the input from the user can be abused to execute their own commands.

Shell operators ; , & and && will combine two or more system commands or execute them both.

Blind Command Injection - no test payload to check with need to investigate with the behavior of the application.
- To detect blind command injection, we need to use payloads that will cause some delay. Like ping and sleep. Another way to find this is we could force the output by using the > command. For example, we could execute command such as whoami and store it in a file using > command.
- curl is also a great command which can be used to test command injection.
```
curl <http://vulnerable.app/process.php%3Fsearch%3DThe%20Beatles%3B%20whoami>
```

Verbose Command Injection - there is direct feedback from the application for the test payload you send. Ex: input whoami will output the username on the page directly.

Detecting Command injection this way is the easiest method of the two.
Linux Payloads

whoami -  to see what user the application is running under.
ls  - List the contents of the current directory.
ping - The application will hang while executing the no of pings.
sleep - Useful when the application does not have png installed.
nc - useful to spawn a reverse shell.

Windows Payloads

whoami
dir - list the contents of the current directory.
ping
timeout - useful when pinig is not installed, it will also invoke the application
to hung.

Remediating Command Injection

Vulnerable function in PHP

Exec
Passthru
System

Proper checks should be done before passing it on to these functions.

Input sanitization is great way to prevent command injection.

<?php
if(!filter_input(INPUT_GET, "number", FILTER_VALIDATE_NUMBER)){
}

Bypassing Filters:

Application will use numerous filtering and sanitizing across a user’s input, but we can bypass them by giving the payload in hexadecimal. Filters might catch quotation marks ; but when passed as hexa decimal they may go through.