How I found a Command injection bug

mrpentestguy
3 min readOct 19, 2021
Image is taken from google

Hey, guys today I want to show you how I was able to find a command injection bug through fuzzing. So let's get started

What is Command injection?

So according to OWASP, a Command injection is an attack in which the goal is the execution of arbitrary commands on the host operating system via a vulnerable application. … In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application.

So you got an idea of what is a command injection

Now let's see how you can find one

The program which I was running has a wide scope target. example : *.reacted.com. After I have done with my subdomain enumeration process. I have found a whooping of 1600 subdomains that belong to the program

As I have found such a good amount, I started to probe them and found out that only 900 subdomains were found. The rest of them were Vhost or non-existing subdomain when checked through nslookup and dig those subdomains did not match.

Now After getting all the probed subdomains. I started to fuzz their header with different command injections payloads

If you want a payload list, here are some

For fuzzing, you could use any of the tools you like ffuf, dirsearch, wfuzz, or nuclie. I have used ffuf here for the test

You could make a list of subs like this

for subs in $(cat subs.txt) ; do ffuf -u $subs.txt -H FUZZ:headers.txt :payloadFUZZ -w <your command injection payloads>: payloadFUZZ -v -t 400 -mr “root:|(uid|gid|groups)=\d+|bytes from \b(?:[0–9]{1,3}\.){3}[0–9]{1,3}\b|Configuration File \(php\.ini\) Path |vulnerable 10|Trying \b(?:[0–9]{1,3}\.){3}[0–9]{1,3}\b|\b(?:[0–9]{1,3}\.){3}[0–9]{1,3}\b\s+localhost|BROADCAST,MULTICAST|drwxr-xr|Active Internet connections|Syntax error|sh:|Average Speed Time|dir: cannot access|<script>alert\(1\)</script>|drwxrwxr|GNU/Linux”| tee output.txt

cat output.txt | grep “URL” | awk ‘{print $4}’ | tee command.txt

or you can use a nuclei template for that but change you payload list and header list as well so or header’s list you can use Seclist

nuclei template :

After Fuzzing them I have finally found a bug . which actually gave me 404 not found but the contents were giving me the details about the web application like what it was running and all that info .

The Header which was vulnerable was Content-Length : and the payload was

/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/boot.ini

so totally it looks like this Content-Length:/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/boot.ini

finally reported the bug

— Didn’t respond and felt it and to date, the bug still exists. since this was an external VDP program I didn't care much to put pressure on them to fix it

I hope you like it

Thank You

--

--

mrpentestguy

Security Researcher | Bug Bounty hunter | Security Engineer | CTF player | OSINT