BOOK THIS SPACE FOR AD
ARTICLE ADSOC168 — Whoami Command Detected in Request Body
What is Command Injection?
Command InjectionCommand injection is a type of vulnerability that allows an attacker to execute arbitrary commands on the host operating system via a vulnerable application.This can occur when an application passes unsafe user supplied data (e.g. form input) to a system shell without proper validation or sanitization.An attacker can use command injection to gain unauthorised access to sensitive data, execute malicious code or disrupt the intended functionality of the application.
Example:
ls command injection that lists directory contents of files and directories
ls command Injection attack
How to detect command injection ?
One way to detect command injection vulnerabilities in a web application is to search the source code for keywords that may indicate the use of system commands with unsanitized user inputSome keywords to look for include:“Whois” , “dir”, “ls”, “cp”, “cat”, “type”“System”, “etc”, “exec”, “shell_exec”“Whoami”Detect Command Injection by using snort
SOC168 — Whoami Command Detected in Request Body
Here is the generated alert,
Alert given by https://letsdefend.io/Source IP address (61.177.172.87) attempted “Whoami” command injection attack on Web server 1004 (172.16.17.16).Request URL : https://172.16.17.16/video/
Let’s check about Source IP address:
VirusTotal
This IP address was flagged as malicious. Also attackers make lots of attacks by using this IP address.
AbuseIPDB
Lets, look into the Log Management
log managementThere are several command injection ware made by this attacker(61.177.172.87).All attempts are responded with 200 HTTP Status with different HTTP response sizes.We are able to see that all the command injections made by the attacker were executed. By checking the command line History on web server 1004command Line History on Webserver1004
Playbook Answers:
playbookYes, we need Tier 2 EscalationThe Attack was successfulThe Direction of Traffic : Internet to company networkThere is NO Mail about Attack , this is not a Planned TestThis is Command injection attackIt is a Malicious Traffic
Reference :