Shell Command Injection is a really simple concept and vulnerability that lot of website designers overlook. The only time when one needs to worry about this type of exploit is when they are issuing a direct system command through their web application, either a php webpage that lists whe directory content using ls, or a cgi script written in perl which is used to look up whois information. Usually this is how such web application works.

1. Prompt User to Enter some Information (example: directory name)
2. Creat a string with the first part of the command (example: ls)
3. Concatenate the user input string and the command string
4. Issue the Concatenated as a shell command to the system and direct the output back the user

This is a really stupid thing to do, not many people do it, but a few still do. So for example, you go to a web application that is used for getting the whois information, so you enter the domain name and it outputs the whois info. Useful, but very exploitable.

How? Simple. You simply append your own commands to the web applications input. In *nix enviornments, you can chain multiple commands using the &&, &, and the ; characters. Let us see an example, I have a php website that queries the whois information by giving a system call.

This is what one is expected to do

1. Enter janitha.com and submit
2. PHP script Concatenates “whois ” + “janitha.com”
3. Script send the final string to the system as a command
4. Script prints whois results back to the user

This is the exploit

1. Enter janitha.com&id&uname -a and submit
2. PHP script Concatenates “whois ” + “janitha.com&id&uname -a”
3. Script send the final string to the system as a command
4. Script prints the output of that whois, id, and uname -a to the user

The seemingly innocent whois php website just became shell command executing monster. (queue evil laughter). But things won’t be this easy all the time. What if the web application appends some more strings to the end? Just add another command delimiter to the end of the user input. Just to be safe, do a command delimiter plus a random character.

Let’s take the example where the whois script page just asks for the domain name without the .com.. So what the user is expected to do is just enter janitha if they want to get the information regarding janitha.com. Here comes the exploit.

1. Enter janitha;id;uname -a;x and submit
2. PHP script Concatenates “whois ” + “janitha;id;uname -a;x” + “.com”
3. Script send the final string to the system as a command
4. Script prints the output of that whois, id, and uname -a and an error message to the user

Let’s see what just happened. The string that the server executed was whois janitha;id;uname -a;x.com” which actually has 4 seperate commands.

1. whois janitha (which would give a error)
2. id (print the UID and GID of the user executing the command)
3. uname -a (give some system information
4. x.com (garbage)

So what? One might think this is really weak since it can only do simple commands. But what if I tell you you can even write and run your own scripts with this? So if you can write a script, one could just write a one that would elevate the privileges of the user it’s being run as (probably the apache daemon or something similar). Most likely the web server daemon won’t have write access to the web directories, so you will have to write your script in tmp.

To write a script, simply echo each line into a text file in tmp so that the lines append to the file. You for the same script discussed earlier, if you send this as the user input you can write a simple script.

blah & echo \#\!/bin/bash >> /tmp/script &x
blah & echo ls >> /tmp/script &x
blah & chmod +x /tmp/script &x
blah & /tmp/script &x

Now you just made a tiny script in /tmp/script that will simply run ls. But you get the idea, you can put what ever you want in that script. But sometime the server might simply have wget (most of the time, webservers have it disabled or not there) so you can just download what ever script or application you want from online and execute that.

It’s a pretty deep exploit, one can really own a server this way. So before you put a shell execution command and a user input from the public web interface, make sure it will strip down all weird characters and run some more checks (such as if its a domain, check if it has a .com ending). Hope this was informative. Enjoy!