Manual detection

To detect command injection vulnerabilities, open Burp Suite and intercept the request where you think there is a potential vulnerability.

We think there is a vulnerability in the IP parameter. The normal application's flow is that the user inserts an IP address, and then the application executes a ping to this IP address. If we try to imagine what is happening in the backend, we can suppose that the IP parameter is received by a variable in PHP; then it is concatenated with the string ping to create a string that contains the command and the IP address.

Finally, this complete string is passed as a parameter to a function in charge to execute in a low-level command. So, if the IP parameter is not validated in a correct way to restrict the user to just send an IP address, a malicious user can use this parameter to execute other commands:

  1. To test it, catch the request using Burp Suite's Proxy, as follows:

  1. Now, as we gathered, it is probable that the ip parameter is not correctly validated; but we have the restriction that system()exec(), and other functions just execute one line at a time. So, how is it possible to execute more than one command in one line? The answer is by using the ; character, which tells the OS that the first command is finished, and so it starts another command. So, if we could see how the string is shown, it looks like the following:
ping 127.0.0.1; ifconfig

Let's see whether this analysis works in the following screenshot:

Right, as you can see in the response, the application is returning the output for the second command. So, we can infer that as a SQL injection, here, the wildcard is the ; character, followed by a simple command. So, we insert it into all of the input fields in an application and we can detect where the OS command vulnerabilities are, as follows:

  1. Navigate to the Intruder tool and click on the Payloads tab. Here, we will define only one string as the payload, and we will launch the same string in all the fields we want, as shown in the following screenshot:

  1. As we know the result of this command, we will use the search bar to look for a pattern in the response, as demonstrated in the following screenshot:

This is the way to detect OS command vulnerabilities. Now, let's see how can we detect XSS vulnerabilities.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset