commix icon indicating copy to clipboard operation
commix copied to clipboard
verified publisher icon commixproject

Feature Request: Newline display problem (classic result based technique)

Open ghost opened this issue 9 years ago • 6 comments

There is a problem with parsing newlines in the pseudo shell. Consider these outputs:

commix(os_shell) > ls

index.php license.txt readme.html wp-activate.php wp-admin wp-blog-header.php wp-comments-post.php wp-config-sample.php wp-config.php wp-content wp-cron.php wp-includes wp-links-opml.php wp-load.php wp-login.php wp-mail.php wp-settings.php wp-signup.php wp-trackback.php xmlrpc.php

kali:~# curl 'http://10.11.1.234/?p=1&cmd=ls' index.php license.txt readme.html wp-activate.php wp-admin wp-blog-header.php wp-comments-post.php wp-config-sample.php wp-config.php wp-content wp-cron.php wp-includes wp-links-opml.php wp-load.php wp-login.php wp-mail.php wp-settings.php wp-signup.php wp-trackback.php xmlrpc.php xmlrpc.php

Tested on commix versions v1.5-dev#4 and v1.3 in several Linux injections.

ghost avatar Oct 22 '16 10:10 ghost

Hey @lukapusic this issue in the pseudo shell occurs regularly in results-based command injection attacks due to the attack vectors that are used (i.e echo $(ls)). As you may see in other exploitation techniques (i.e file-based command injection attacks (use --technique="f")) that issue does not exist. However, due to eye-candy reasons, I intend to fix that issue (that's why i marked your issue as "enhancement"). Btw thanks for the report.

stasinopoulos avatar Oct 22 '16 11:10 stasinopoulos

I see. Looking at the requests I noticed that you do not enclose $() in double quotes.

Commix payload without enclosing double quotes: echo GCGGHE$(echo GCGGHE)$(echo $(ls -al))$(echo GCGGHE)GCGGHE GCGGHEGCGGHEtotal 48 drwxr-xr-x 5 root root 4096 Feb 2 2011 . drwxr-xr-x 3 root root 4096 Feb 2 2011 .. -rw-r--r-- 1 root root 3957 Mar 5 2009 admin.php -rw-r--r-- 1 root root 3785 Feb 12 2014 config.php drwxr-xr-x 2 root root 4096 Mar 6 2009 css -rw-r--r-- 1 root root 1097 Mar 5 2009 functions.php drwxr-xr-x 2 root root 4096 Mar 6 2009 img -rw-r--r-- 1 root root 10011 Sep 16 2009 index.php -rw-r--r-- 1 root root 4090 Mar 23 2009 install.php drwxr-xr-x 2 root root 4096 Mar 6 2009 jsGCGGHEGCGGHE

Same payload with $() enclosed in double quotes: echo GCGGHE$(echo GCGGHE)"$(echo "$(ls -al)")"$(echo GCGGHE)GCGGHE GCGGHEGCGGHEtotal 48 drwxr-xr-x 5 root root 4096 Feb 2 2011 . drwxr-xr-x 3 root root 4096 Feb 2 2011 .. -rw-r--r-- 1 root root 3957 Mar 5 2009 admin.php -rw-r--r-- 1 root root 3785 Feb 12 2014 config.php drwxr-xr-x 2 root root 4096 Mar 6 2009 css -rw-r--r-- 1 root root 1097 Mar 5 2009 functions.php drwxr-xr-x 2 root root 4096 Mar 6 2009 img -rw-r--r-- 1 root root 10011 Sep 16 2009 index.php -rw-r--r-- 1 root root 4090 Mar 23 2009 install.php drwxr-xr-x 2 root root 4096 Mar 6 2009 jsGCGGHEGCGGHE

Could the solution be this simple?

BTW: Great tool!

ghost avatar Oct 23 '16 18:10 ghost

Hello @lukapusic I am afraid the solution on that issue is not that obvious. Your payload seems to be working -in some cases- but it’s not generic. For example if the target host uses the PHP exec() function (i.e commix-testbed) then the multiline output of that executed payload will be broken and only the last line of the "ls" command will be shown back to us -rw-r--r-- 1 root root 5151 Jun 12 20:19 str_replace.phpGCGGHEGCGGHE.

stasinopoulos avatar Oct 24 '16 09:10 stasinopoulos

One possible solution is to add a prefix and suffix to each line.

kali:~# echo $(ls -al | sed 's/\(.*\)/BEGIN\1END/g') BEGINtotal 64END BEGINdrwxrwxrwt 15 root root 4096 Oct 22 07:09 .END BEGINdrwxr-xr-x 27 root root 4096 Oct 20 18:06 ..END BEGINdrwxrwxrwt 2 root root 4096 Oct 20 17:54 .font-unixEND BEGINdrwxr-xr-x 2 root root 4096 Oct 21 20:16 hsperfdata_rootEND BEGINdrwxrwxrwt 2 root root 4096 Oct 20 17:55 .ICE-unixEND BEGINsrwxr-xr-x 1 root root 0 Oct 21 20:11 jpi-154311181973503911857515END BEGINdrwx------ 2 root root 4096 Oct 22 06:41 mozilla_root0END BEGINdrwx------ 2 root root 4096 Jan 1 1970 orbit-rootEND BEGINdrwx------ 2 root root 4096 Oct 20 17:55 ssh-NUrrT6sbo6lCEND BEGINdrwx------ 3 root root 4096 Oct 20 17:54 systemd-private-dc8c208c1d654426a132d88d0b12d7b4-colord.service-BYa42XEND BEGINdrwx------ 3 root root 4096 Oct 20 17:54 systemd-private-dc8c208c1d654426a132d88d0b12d7b4-rtkit-daemon.service-f9xfoLEND BEGINdrwxrwxrwt 2 root root 4096 Oct 20 17:54 .Test-unixEND BEGINdrwx------ 2 root root 4096 Oct 20 17:55 tracker-extract-files.0END BEGINdrwxrwxrwt 2 root root 4096 Oct 20 17:54 VMwareDnDEND BEGIN-r--r--r-- 1 Debian-gdm Debian-gdm 11 Oct 20 17:54 .X1024-lockEND BEGINdrwxrwxrwt 2 root root 4096 Oct 20 17:55 .X11-unixEND BEGINdrwxrwxrwt 2 root root 4096 Oct 20 17:54 .XIM-unixEND

ghost avatar Oct 24 '16 16:10 ghost

Firstly, I would like to thank you for your interest and your research in order to expand the capabilities of commix. Suddenly, your payload does not solve the problem. Every generated payload must contain only one separator (i.e ;,&&,| etc) and your payload contains two. For more, please take a look at the generated payloads (via -v1) in time-based command injection attacks (--technique="t").

stasinopoulos avatar Oct 24 '16 19:10 stasinopoulos

Hey @lukapusic, I pushed a minor update (https://github.com/commixproject/commix/commit/dd9f4c24eb7842f0664375200e1e53992a89f08f) regarding the newline display in dynamic code evaluation (eval-based) and semiblind (file-based) technique. :)

stasinopoulos avatar Nov 24 '16 16:11 stasinopoulos