SOC168 — Whoami Command Detected in Request Body

What is Command Injection?

• Command injection is a type of vulnerability that allows an attacker to execute arbitrary commands on the host operating system via a vulnerable application.
• This can occur when an application passes unsafe user supplied data (e.g. form input) to a system shell without proper validation or sanitization.
• An attacker can use command injection to gain unauthorised access to sensitive data, execute malicious code or disrupt the intended functionality of the application.

Example:

ls command injection that lists directory contents of files and directories

How to detect command injection ?

• One way to detect command injection vulnerabilities in a web application is to search the source code for keywords that may indicate the use of system commands with unsanitized user input
• Some keywords to look for include:
• “Whois” , “dir”, “ls”, “cp”, “cat”, “type”
• “System”, “etc”, “exec”, “shell_exec”
• “Whoami”

SOC168 — Whoami Command Detected in Request Body

Here is the generated alert,

• Source IP address (61.177.172.87) attempted “Whoami” command injection attack on Web server 1004 (172.16.17.16).
• Request URL : https://172.16.17.16/video/

Let’s check about Source IP address:

This IP address was flagged as malicious. Also attackers make lots of attacks by using this IP address.

Lets, look into the Log Management

• There are several command injection ware made by this attacker(61.177.172.87).
• All attempts are responded with 200 HTTP Status with different HTTP response sizes.
• We are able to see that all the command injections made by the attacker were executed. By checking the command line History on web server 1004

Playbook Answers:

• Yes, we need Tier 2 Escalation
• The Attack was successful
• The Direction of Traffic : Internet to company network
• There is NO Mail about Attack , this is not a Planned Test
• This is Command injection attack
• It is a Malicious Traffic

Reference :