If you’re looking for a shell injection vulnerability, it helps if you’ve got some idea of what it could look like. If you have access to the application’s source code you’re investigating, the simplest starting point is finding locations where shell commands are executed.
This is simple in theory, but different languages have different methods of invoking the shell, and some have more than one. PHP, for example, has exec(), exec_shell() and system(). In Python, one could use os.system(), subprocess.run(), or os.popen(), among others. Needless to say, you will want to research the language the app is programmed in.
Just because a program executes a shell command doesn’t mean it’s vulnerable - it needs to execute it so that a maliciously crafted input could cause unintended behavior, such as executing additional commands.
Remember also that most modern applications have dependencies that need to be checked. For example, if an application passes a user’s input to an external library, the external library must be checked to ensure it doesn’t contain shell injection vulnerabilities. If that library has dependencies, they may also need to be checked. It’s easy to overlook a potential vulnerability in cases like these, which is why it’s so important to have multiple layers of security. A defender would need to find every potential vulnerability, but an attacker only needs to find one.
Instructions
The Python code shown here contains a shell injection vulnerability. Can you find the function where the shell command is called?
Remember, Python has multiple ways of running shell commands, such as os.system() and subprocess.run(). Searching for those commands can assist in identifying the vulnerability.
After searching for those commands, you might have noticed exec_ping function. This function uses the os.system, which allows an attacker to execute an OS command on the server. Doing this allows attackers to compromise the application and all its data.