Chapter 9  ■ Injecting Code

Finding OS Command Injection Flaws

In your application mapping exercises (see Chapter 4), you should already

have identified any instances where the web application appears to be inter-

acting with the underlying operating system, by calling out to external

processes or accessing the file system. You should probe all of these functions

looking for command injection flaws. In fact, however, the application may

issue operating system commands containing absolutely any item of user-

supplied data, including every URL and body parameter and every cookie. To

perform a thorough test of the application, you therefore need to target all

these items within every application function. 

Different command interpreters handle shell metacharacters in different

ways. In principle, any type of application development platform or web server

may call out to any kind of shell interpreter, running either on its own operating

system or that of any other host. You should not therefore make any assump-

tions about the application’s handling of metacharacters based on any knowl-

edge of the web server’s operating system.

There are two broad types of metacharacter that may be used to inject a sep-

arate command into an existing preset command:

■■

The characters 

; | &

and newline may be used to batch multiple com-

mands together, one after the other. In some cases, these characters may

be doubled up with different effects. For example in the Windows com-

mand interpreter, using 

&&

will cause the second command to run only

if the first is successful. Using 

||

will cause the second command to

always run, regardless of the success of the first.

■■

The backtick character (

`

) can be used to encapsulate a separate com-

mand within a data item being processed by the original command, as

in the example given at the beginning of this chapter. Placing an injected

command within backticks will cause the shell interpreter to execute the

command and replace the encapsulated text with the results of this com-

mand, before continuing to execute the resulting command string.

In the previous examples, it was straightforward to verify that command

injection was possible, and to retrieve the results of the injected command,

because those results were returned immediately within the application’s

response. In many cases, however, this may not be possible. You may be inject-

ing into a command that returns no results and which does not affect the appli-

cation’s subsequent processing in any identifiable way. Or the method you

have used to inject your chosen command may be such that its results are lost

as multiple commands are batched together.

The most reliable way in general to detect whether command injection is

possible is to use time-delay inference in a similar way as was described for

exploiting blind SQL injection. If a potential vulnerability appears to exist, you

can then use other methods to confirm this and to retrieve the results of your

injected commands.

Download 5,76 Mb.

Do'stlaringiz bilan baham: