OS command injection (AKA shell injections) vulnerabilities are incredibly dangerous as they can lead to the compromise of an application,its data, and the infrastructure connected to the application. By using Command Line code in exposable web application input, one can dictate actions of the host system that the client wasn’t meant to. This digest assumes a basic knowledge of Python, CLI,and shell injections.
A great place to start in understanding this vulnerability is understanding the Bash Scripting Language (the typical language being injected in the vulnerabilities). PortSwigger’s website is also an excellent source for an in-depth understanding of OS command injections and the dangers they pose.
In pentesting, it’s crucial to find these vulnerabilities in our target so we can remove them. An excellent source of practice is against PortSwigger Academy’s Vulnerability Labs. We can automate finding OS command injection vulnerabilities using Python and proxy through PortSwigger’s famous web application tool – Burp Suite.
Burp Suite – You’ll need to install PortSwigger’s Burp Suite Community edition – or the Pro Edition if you wish for our proxy server.
Proxy – Once you’ve downloaded Burp Suite, open it up and navigate to the Proxy > Options tab. Under Proxy Listeners, click Add and configure a listener under 127.0.0.1:8080.Your settings should look like this:
Then click OK and make sure the option is ticked under the Running column. Your proxy is ready!
This code assumes we already know where the vulnerability is in the target web application. The PortSwigger Academy Labs – perfect targets to learn on – will give you this information upfront.
1 - Setup
First import a few libraries,
Add the following to disable the intimidating warning display from urllib3,
And create a proxy variable to reference the proxy we created in Burp Suite
2 - Main Function
Now we define the main function. Create an if statement to test the number of arguments given to the command and provide an explanation to tell the user how to correctly use the script. This way there’s a human-readable explained on how the method should be used rather than errorcode. We’ll be assuming the inclusion of four argument when running the script:The web app’s base url, the path to the vulnerability, and the command being injected.
Define each of these variables, naming them according to their used in the script.
Call the run function (which we’ll get to next)…
…and then the main function (outside the main function of course).
3 - Payload
Now the creative part. Define the function with the four parameters we’re requiring for the script. Make sure to start this ABOVE the main function.
Make the payload variable.
Then make the parameters and design the request with these as input. You can use the Burp Suite proxy we set up and the tool’s Repeater to intercept a request where the vulnerability is located. From there you can discover what parameters are in the vulnerability, their potential values, and where you can inject the payload. Same for the type of request (in this case it’sa POST request). The code here is specific to PortSwigger's "OS command injection, simple case" Lab.
Print the web application’s reply to our request.
And that’s it! Get your Burp Suite Proxy up, launch the PortSwigger lab, and give your script a run! The command should look something like this in the terminal.
Now you have an insight into pentesting automation with python scripting and an automated base for PortSwigger’s OS Command Injection Labs! For more insights like this, check out our other posts and find new ones weekly!