Java - Command Injection (CMD)

Running the app on Docker

$ sudo docker pull blabla1337/owasp-skf-lab:java-cmd

$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:java-cmd

Now that the app is running let's go hacking!

Reconnaissance

The command injecion is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In the first step, the attacker needs to inspect the functioning of the web app in order to find possible injection points. When we start the application we can see that there is an image and the option to resize the image.

Now, we are going to select a value and press the button.

If we inspect the request with an intercepting proxy (we are using Burp) we can see that the application is performing a POST request to /home. In the request we send the number (in percentage) to resize the image. In the response, we can check that the image has been resized.

Exploitation

Let's try to get remote code execution.

Intercepting the request on burp, we can try to pipe other commands, like opening the calculator on linux (xcalc) as PoC.

Bingo!

Additional sources

Command Injection | OWASP Foundation

OS Command Injection Defense - OWASP Cheat Sheet Series

PreviousNodeJS - Command Injection (CMD)NextCommand Injection 2 (CMD-2)

Last updated 1 year ago