The term injection attack refers to a wide variety of program flaws related to incorrect handling of input data: the attacker injects a malicious payload so to affect the flow of execution of the program.
Command injection
Consider for example the following C function of program myping
void ping(char *ip) {
char buf[MAX_SIZE];
snprintf(buf, MAX_SIZE, "ping -c1 %s", ip);
system(buf);
}
Explanation:
bufis a string composed by appending the stringippassed as parameter to"ping -c1 ", throughsnprintf(notice thatsnprintfis safe for what concerns buffer overflow, as it limits the dimension to the produced string toMAX_SIZE-1, always adding the null-terminator0x00);bufis passed tosystem, which executes the program ping as if it where run from the shell. Thesystemfunction is considered extremely risky, especially when its input is originated from an untrusted source, since it can be subject to command injection attacks.
Do not recompile the program, an executable with appropriate permissions is already installed in /usr/sbin . So you can execute it by simply issuing myping . In particular, the program has the setuid flag set, that executes it with the privileges of its owner (root): any subcommand that is executed by the myping program is run as root.
~ $ ls -al /usr/sbin/myping -rwsr-xr-x 1 root root 19128 Nov 28 21:52 /usr/sbin/myping
Exploit a command injection attack in order to print the content of /etc/shadow . The password for task 2 is the password salt of user rookie in /etc/shadow . The salt is the string delimited by dollar symbols after $6$ and before the password hash: rookie:$6$ SALT $ HASH
Notice that
/etc/shadowis not readable by userrookie. So this is an example of privilege escalation through command injection.~ $ whoami rookie ~ $ cat /etc/shadow cat: can't open '/etc/shadow': Permission denied