How I found a Command injection bug
Hey, guys today I want to show you how I was able to find a command injection bug through fuzzing. So let's get started
What is Command injection?
So according to OWASP, a Command injection is an attack in which the goal is the execution of arbitrary commands on the host operating system via a vulnerable application. … In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application.
So you got an idea of what is a command injection
Now let's see how you can find one
The program which I was running has a wide scope target. example : *.reacted.com. After I have done with my subdomain enumeration process. I have found a whooping of 1600 subdomains that belong to the program
As I have found such a good amount, I started to probe them and found out that only 900 subdomains were found. The rest of them were Vhost or non-existing subdomain when checked through nslookup and dig those subdomains did not match.
Now After getting all the probed subdomains. I started to fuzz their header with different command injections payloads
If you want a payload list, here are some
For fuzzing, you could use any of the tools you like ffuf, dirsearch, wfuzz, or nuclie. I have used ffuf here for the test
You could make a list of subs like this
for subs in $(cat subs.txt) ; do ffuf -u $subs.txt -H FUZZ:headers.txt :payloadFUZZ -w <your command injection payloads>: payloadFUZZ -v -t 400 -mr “root:|(uid|gid|groups)=\d+|bytes from \b(?:[0–9]{1,3}\.){3}[0–9]{1,3}\b|Configuration File \(php\.ini\) Path |vulnerable 10|Trying \b(?:[0–9]{1,3}\.){3}[0–9]{1,3}\b|\b(?:[0–9]{1,3}\.){3}[0–9]{1,3}\b\s+localhost|BROADCAST,MULTICAST|drwxr-xr|Active Internet connections|Syntax error|sh:|Average Speed Time|dir: cannot access|<script>alert\(1\)</script>|drwxrwxr|GNU/Linux”| tee output.txt
cat output.txt | grep “URL” | awk ‘{print $4}’ | tee command.txt
or you can use a nuclei template for that but change you payload list and header list as well so or header’s list you can use Seclist
nuclei template :
After Fuzzing them I have finally found a bug . which actually gave me 404 not found but the contents were giving me the details about the web application like what it was running and all that info .
The Header which was vulnerable was Content-Length : and the payload was
/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/boot.ini
so totally it looks like this Content-Length:/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/boot.ini
finally reported the bug
— Didn’t respond and felt it and to date, the bug still exists. since this was an external VDP program I didn't care much to put pressure on them to fix it
I hope you like it
Thank You
