CAPEC-15: Command Delimiters
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
执行流程
步骤 1 Explore
[Assess Target Runtime Environment] In situations where the runtime environment is not implicitly known, the attacker makes connections to the target system and tries to determine the system's runtime environment. Knowing the environment is vital to choosing the correct delimiters.
- Port mapping using network connection-based software (e.g., nmap, nessus, etc.)
- Port mapping by exploring the operating system (netstat, sockstat, etc.)
- TCP/IP Fingerprinting
- Induce errors to find informative error messages
步骤 2 Explore
[Survey the Application] The attacker surveys the target application, possibly as a valid and authenticated user
- Spidering web sites for all available links
- Inventory all application inputs
步骤 3 Experiment
[Attempt delimiters in inputs] The attacker systematically attempts variations of delimiters on known inputs, observing the application's response each time.
- Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)
- Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)
- Enter command delimiters directly in input fields.
步骤 4 Exploit
[Use malicious command delimiters] The attacker uses combinations of payload and carefully placed command delimiters to attack the software.
前提条件
- Software's input validation or filtering must not detect and block presence of additional malicious command.
所需技能
所需资源
- Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.
后果影响
影响范围: Confidentiality Integrity Availability
技术影响: Execute Unauthorized Commands
说明: Run Arbitrary Code
影响范围: Confidentiality
技术影响: Read Data
缓解措施
Design: Perform allowlist validation against a positive specification for command length, type, and parameters.
Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account
Implementation: Perform input validation for all remote content.
Implementation: Use type conversions such as JDBC prepared statements.