commixproject / commix

Automated All-in-One OS Command Injection Exploitation Tool.
https://commixproject.com
Other
4.62k stars 818 forks source link

java Runtime.getRuntime().exec() can't injectable #946

Closed CptGuo closed 4 months ago

CptGuo commented 4 months ago

What's the problem (or question)?

Commix can't inject java Runtime.exec()

How can we reproduce the issue?

See java code below.

What are the running context details?

JAVA CODE

@GetMapping("/too") public String too(@Param("txt") String txt) { Runtime runtime = Runtime.getRuntime(); StringBuffer bf = new StringBuffer(); try { Process process = runtime.exec(txt); InputStream inputStream = process.getInputStream(); BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream)); String line;

        while ((line = reader.readLine()) != null) {
            System.out.println(line);
            bf.append(line);
        }
        process.waitFor();
        if (process.exitValue() == 0) {
            System.out.println("Command executed successfully!");
        } else {
            System.out.println("Command execution failed!");
        }
    } catch (Exception e) {
        //
    }
    return bf.toString();
}

Commix run logs

python commix.py -u "http://localhost:9090/attdef/too?txt=who"

[13:36:19] [info] Testing connection to the target URL. [13:36:19] [info] Checking if the target is protected by some kind of WAF/IPS. [13:36:19] [info] Performing identification (passive) tests to the target URL. [13:36:19] [info] Setting GET parameter 'txt' for tests. Do you want to ignore the response HTTP error code '400' and continue the tests? [Y/n] > y [13:36:20] [warning] Heuristic (basic) tests shows that GET parameter 'txt' might not be injectable. [13:36:30] [info] Testing the (results-based) classic command injection technique.
[13:36:42] [info] Testing the (results-based) dynamic code evaluation technique.
[13:36:42] [warning] It is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions. [13:36:42] [info] Testing the (blind) time-based command injection technique.
Enter what you want to use for writable directory (e.g. '/var/www/localhost/public_html/') > /tmp/ [13:36:46] [info] Trying to create a file in directory '/tmp/' for command execution output. Do you want to use URL 'http://localhost:9090/HEPYZJ.txt' for command execution output? [Y/n] > y It seems that you don't have permissions to read and/or write files in directory '/tmp/'.8%) Do you want to use the temporary directory ('/tmp/')? [Y/n] > y [13:37:18] [info] Trying to create a file in directory '/tmp/' for command execution output. [13:37:18] [warning] It is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions. [13:37:18] [info] Testing the (semi-blind) tempfile-based injection technique.
[13:37:18] [warning] The tested GET parameter 'txt' does not seem to be injectable. [13:37:18] [critical] All tested parameters appear to be not injectable. Try to increase value for '--level' option if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved, maybe you could try to use option '--tamper' and/or switch '--random-agent'.

stasinopoulos commented 4 months ago

Firstly, take a look with the latest dev version. Also, try to increase the value for --level option(to perform more tests). Fyi, you can increase the verbosity with -v argument and see exactly which point / part of the executed requests fail.

Tip: A good practice to conclude why this happens is to exploit the vulnerability manually and then run commix against it.

stasinopoulos commented 4 months ago

Just check against the following java code: https://github.com/SasanLabs/VulnerableApp/blob/master/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java Untitled

CptGuo commented 4 months ago

If this is just a basic test environment and it can't even complete an injection directly, what else can this tool do?

stasinopoulos commented 4 months ago

As you can see in the image above, it works fine with Java applications. In any case that commix does not meet your needs, you can find a similar one that does.

github-actions[bot] commented 2 months ago

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

This action has been performed automatically by a bot.