1
00:00:01,060 --> 00:00:01,830
Welcome back.

2
00:00:02,540 --> 00:00:10,190
Time to cover our first real vulnerability, even though HTML injection is considered, the bug command

3
00:00:10,190 --> 00:00:12,810
injection is much, much more serious.

4
00:00:13,640 --> 00:00:16,970
So what is command injection?

5
00:00:17,890 --> 00:00:25,600
Well, we can define it like this command injection is a vulnerability that allows an attacker to execute

6
00:00:25,600 --> 00:00:30,100
operating system commands on the server that is running the application.

7
00:00:31,340 --> 00:00:37,070
Typically, once it's discovered, it allows the attacker to fully compromise the application and all

8
00:00:37,070 --> 00:00:43,580
of its data, sometimes command rejection can be used to compromise other parts of the host's infrastructure,

9
00:00:43,730 --> 00:00:48,500
and it can be used to pivot the attack to other systems within the organization.

10
00:00:49,370 --> 00:00:52,900
So, yes, it can be really serious vulnerability.

11
00:00:53,630 --> 00:00:59,570
It allows us to execute system commands on the server, which could also mean that we can see the files,

12
00:00:59,720 --> 00:01:05,540
check out the passwords folder, delete files and perhaps even set a reverse shell connection.

13
00:01:06,500 --> 00:01:10,790
But how exactly do we do that and when can we find this bug?

14
00:01:11,450 --> 00:01:13,340
Let's check out an example.

15
00:01:13,370 --> 00:01:21,260
In theory, say we have a simple Web application that lets people read different stories.

16
00:01:21,950 --> 00:01:28,040
It gives you a list of stories that it has available and you type in which one you want to read.

17
00:01:29,010 --> 00:01:37,440
Let's say that those stories are stored in text files on the server, once a client pipes in the name

18
00:01:37,440 --> 00:01:43,230
of the story that they want to read, the server processes, the content of the stories, the text file,

19
00:01:43,500 --> 00:01:46,200
and outputs it back to the Web page.

20
00:01:47,100 --> 00:01:54,270
Now, this is a very simple example, but it will give us a good understanding on what exactly is command

21
00:01:54,270 --> 00:01:54,840
injection.

22
00:01:54,990 --> 00:01:59,760
And what we saw right here was a normal usage of this Web application.

23
00:02:00,720 --> 00:02:07,680
But the problem can occur if the website processes the content of the story itself through its system

24
00:02:07,980 --> 00:02:14,370
without the user input being filtered as to what characters and what comments can it receive.

25
00:02:15,550 --> 00:02:17,750
Let me explain this a little bit better.

26
00:02:18,250 --> 00:02:25,660
For example, let's say this application reads the content of the text file with the help of the cat

27
00:02:25,680 --> 00:02:26,080
comment.

28
00:02:26,800 --> 00:02:33,550
We type in the story name and it gets the story, reads the output and throws it back to the Web application

29
00:02:33,550 --> 00:02:35,890
for us to read all of this is good.

30
00:02:35,890 --> 00:02:40,000
But what happens if we enter this, for example?

31
00:02:41,170 --> 00:02:46,250
Story one that the SEMICON who am I?

32
00:02:47,080 --> 00:02:51,690
And here is where our Terminal Command's knowledge comes in play.

33
00:02:52,390 --> 00:02:56,800
What we did right here is we simply typed this story that we want to read.

34
00:02:57,460 --> 00:03:03,730
Then we used semicolon to add another command that the server should execute, which in our example

35
00:03:03,730 --> 00:03:04,680
is who am I?

36
00:03:05,230 --> 00:03:08,790
And by the way, semicolon can be used to separate multiple commands.

37
00:03:08,800 --> 00:03:14,440
It's just one of the ways that you can separate multiple commands and execute them one by one.

38
00:03:15,100 --> 00:03:21,760
So now the command that the server would process would no longer be just cat story 1.0, but it would

39
00:03:21,760 --> 00:03:25,880
look something like this cat story one, the text.

40
00:03:26,080 --> 00:03:29,500
And then after it executes that, it would execute who am I?

41
00:03:30,340 --> 00:03:36,400
And if the website is vulnerable to command ejection and it doesn't filter our input, we will get an

42
00:03:36,400 --> 00:03:37,750
output like this.

43
00:03:38,590 --> 00:03:40,060
It would output a story.

44
00:03:40,270 --> 00:03:44,650
And at the end we should also see the response of the Who am I command?

45
00:03:45,040 --> 00:03:48,850
Which can be viewed or the account name that execute the command.

46
00:03:49,240 --> 00:03:52,510
So in general, the process looks something like this.

47
00:03:53,170 --> 00:03:57,820
We find a user input that could potentially get processed by the system.

48
00:03:58,360 --> 00:04:01,990
We add normal input and concat additional command to it.

49
00:04:02,140 --> 00:04:08,200
And if the input isn't filtered, it will process both of those commands and it will give us both of

50
00:04:08,200 --> 00:04:09,160
these results.

51
00:04:10,810 --> 00:04:13,480
Now, let's see how that looks like in practice.