Analysing Command Detected in Request Body
2023-1-6 12:44:49 Author: infosecwriteups.com(查看原文) 阅读量:15 收藏

SOC168 — Whoami Command Detected in Request Body

What is Command Injection?

Command Injection
  • Command injection is a type of vulnerability that allows an attacker to execute arbitrary commands on the host operating system via a vulnerable application.
  • This can occur when an application passes unsafe user supplied data (e.g. form input) to a system shell without proper validation or sanitization.
  • An attacker can use command injection to gain unauthorised access to sensitive data, execute malicious code or disrupt the intended functionality of the application.

Example:

ls command injection that lists directory contents of files and directories

ls command Injection attack

How to detect command injection ?

  • One way to detect command injection vulnerabilities in a web application is to search the source code for keywords that may indicate the use of system commands with unsanitized user input
  • Some keywords to look for include:
  • “Whois” , “dir”, “ls”, “cp”, “cat”, “type”
  • “System”, “etc”, “exec”, “shell_exec”
  • “Whoami”
Detect Command Injection by using snort

SOC168 — Whoami Command Detected in Request Body

Here is the generated alert,

Alert given by https://letsdefend.io/
  • Source IP address (61.177.172.87) attempted “Whoami” command injection attack on Web server 1004 (172.16.17.16).
  • Request URL : https://172.16.17.16/video/

Let’s check about Source IP address:

VirusTotal

This IP address was flagged as malicious. Also attackers make lots of attacks by using this IP address.

AbuseIPDB

Lets, look into the Log Management

log management
  • There are several command injection ware made by this attacker(61.177.172.87).
  • All attempts are responded with 200 HTTP Status with different HTTP response sizes.
  • We are able to see that all the command injections made by the attacker were executed. By checking the command line History on web server 1004
command Line History on Webserver1004

Playbook Answers:

playbook
  • Yes, we need Tier 2 Escalation
  • The Attack was successful
  • The Direction of Traffic : Internet to company network
  • There is NO Mail about Attack , this is not a Planned Test
  • This is Command injection attack
  • It is a Malicious Traffic

Reference :


文章来源: https://infosecwriteups.com/analysing-command-detected-in-request-body-1524b2744449?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh