In this lab, I tested a command injection vulnerability using a php file that allows for searching of the rockyou.txt file. I was able to exploit a command injection vulnerability to run commands from the created php page.

1. To setup for this lab, I created a file called "grepper.php", which allows the user to search for certain strings in the rockyou.txt file. The code for the file is shown below:

<form id="logform" method="post">
<div>Search Term: <input type="text" name="search"><div>
</select>
<div class="full-width"></br>
  <button type="submit">Search</button>
</div>
</form>
<?php
if(isset($_POST['search'])) {
  $searchterm=$_POST['search'];
  echo "<div>";
  echo "<h1>Searchterm:" . $searchterm . "</h1>";
  echo "</div>";

  echo "<pre>";
  passthru("cat /usr/share/wordlists/rockyou.txt | grep " . $searchterm);
  echo "</pre>";
}
?>

2. I started the ad-hoc web server using the command php -S 127.0.0.1:9000

• Refer to Lab 2.1: File Inclusion to read more about using php to run a web server

3. I then browsed to 127.0.0.1:9000/grepper.php to access the php file. To demonstrate how the page works, I entered "zach" into the search bar. The results are below

4. Knowing a bit about input manipulation and command injection, I was able to manipulate the search function of grepper.php to run commands on the target system. For example, I was able to run the ip a command on the target system by entering "smeagles && ip a" into the search box. This essentially tells the system that after it greps for "smeagles" it should run the "ip a" command. The screenshot below shows the output:

When not carefully secured, systems may be vulnerable to command injection, which can be very severe. As seen in this lab, an attacker can gather information from a system using command injection. Additionally, an attacker may be able to control a system or even invoke a reverse shell using command injection, therefor it should be taken seriously.