OS command injection

-

Description

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

This attack differs from Code Injection, in that code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands.

Introduction

Injection flaws allow attackers to pass malicious code through a web application to another sub system. Depending on the subsystem different types of injection attack can be performed: RDBMS: SQL Injection WebBrowser/Appserver: SQL Injection OS-shell: Operating system commands Calling external applications from your application.

How to locate the potentially vulnerable code

Many developers believe text fields are the only areas for data validation. This is an incorrect assumption. Any external input must be data validated:

Text fields, List boxes, radio buttons, check boxes, cookies, HTTP header data, HTTP post data, hidden fields, parameter names and parameter values. … This is not an exhaustive list.

“Process to process” or “entity-to-entity” communication must be investigated also. Any code that communicates with an upstream or downstream process and accepts input from it must be reviewed.

All injection flaws are input validation errors. The presence of an injection flaw is an indication of incorrect data validation on the input received from an external source outside the boundary of trust, which gets more blurred every year.

Basically for this type of vulnerability we need to find all input streams into the application. This can be from a users browser, CLI or fat client but also from upstream processes that “feed” our application.

An example would be to search the code base for the use of API’s or packages that are normally used for communication purposes.

The java.iojava.sqljava.netjava.rmi,java.xml packages are all used for application communication. Searching for methods from those packages in the code base can yield results. A less “scientific” method is to search for common keywords such as “UserID”, “LoginID” or “Password”.

Vulnerable Patterns for OS injection

What we should be looking for are relationships between the application and the operating system. The application utilising functions of the underlying operating system.

In java using the Runtime object,java.lang.Runtime does this. In .NET calls such as System.Diagnostics.Process.Startare used to call underlying OS functions. In PHP we may look for calls such as exec()or passthru().

Comments

Post a Comment

Popular posts from this blog

A single Tamil word Crash any Iphone Device

-
Image
A Single-Character Message Can Crash Any Apple iPhone, iPad Or Mac   Thursday, February 15, 2018 A single indian tamil word crash all iPhone device Only a single character can crash your iPhone and block access to the Messaging app in iOS as well as popular apps like WhatsApp, Facebook Messenger, Outlook for iOS, and Gmail. First  spotted  by Italian Blog Mobile World, a potentially new severe bug affects not only iPhones but also a wide range of Apple devices, including iPads, Macs and even Watch OS devices running the latest versions of their operating software. Like previous 'text bomb' bug, the new flaw can easily be exploited by anyone, requiring users to send only a single character from Telugu—a native Indian language spoken by about 70 million people in the country. Once the recipient receives a simple message containing the symbol or typed that symbol into the text editor, the character immediately instigates crashes on iPhones, iPads, Macs,
Read more

Google dork list in 2017

-
Google Dorks List 2017 | Fresh Google Dorks 2017 for SQLi about.php?cartID= accinfo.php?cartId= acclogin.php?cartID= add.php?bookid= add_cart.php?num= addcart.php? addItem.php add-to-cart.php?ID= addToCart.php?idProduct= addtomylist.php?ProdId= adminEditProductFields.php?intProdID= advSearch_h.php?idCategory= affiliate.php?ID= affiliate-agreement.cfm?storeid= affiliates.php?id= ancillary.php?ID= archive.php?id= article.php?id= phpx?PageID basket.php?id= Book.php?bookID= book_list.php?bookid= book_view.php?bookid= BookDetails.php?ID= browse.php?catid= browse_item_details.php Browse_Item_Details.php?Store_Id= buy.php? buy.php?bookid= bycategory.php?id= cardinfo.php?card= cart.php?action= cart.php?cart_id= cart.php?id= cart_additem.php?id= cart_validate.php?id= cartadd.php?id= cat.php?iCat= catalog.php catalog.php?CatalogID= catalog_item.php?ID= catalog_main.php?catid= category.php category.php?catid= category_list.php?id= categorydisplay.php?
Read more

New Saturn Ransomawer

-
Image
New Saturn Ransomware Actively Infecting Victims A new ransomware was discovered this week by  MalwareHunterTeam  called Saturn. This ransomware will encrypt the files on a computer and then append the .saturn extension to the file's name. The Saturn Ransomware is being actively distributed, but at this time it is unknown what distribution methods are being used. Unfortunately, this ransomware is not decryptable at this time, but it is currently being researched for weaknesses. In the mean time, if you wish to discuss or receive help, you can use our dedicated  Saturn Ransomware Help & Support topic . How Saturn Ransomware encrypts a computer When Saturn Ransomware is installed it will check to see if the victim is running in a virtual environment. If it detects that it is running under a virtual machine, it will exit the process. If it does not detect a virtual machine, Saturn will execute the following commands to delete shadow volume copies, disable Windows sta
Read more