FCSC 2021 – MyWhois

Now, let’s talk about the MyWhois challenge. This approach is made for full beginners who never exploited command injections before.

This one took place in a simple web app as the following screen capture shows :

The interface of the challenge

Playing the game of good user

Let’s try to use this app as a normal user would do :

A part of the results obtained when making a request for ssi.gouv.fr

I know that this output is typically a ‘whois’ linux command output. What we may try now is to execute our own command. In fact, if the server executes the whois command and doesn’t check + sanitize the input, we can do a command injection.

Command injections : theory

In linux shells, we can execute 2 commands in a single line with aggregators. Aggregators allow us to concatenate commands. The 3 most-used aggregators are :

  • | : The ‘pipe’ which takes the input of the first command and passes it to the second one
  • && : The double ‘and’ symbol which executes the first command then the next one
  • ; : The semicolon that does the same thing that the double ‘and’ symbol

The pipe doesn’t interest us because we want to execute our own function, not to use the output from whois.

Then we have ‘&&’ and ‘;’. I prefer ‘;’ because it’s shorter but sometimes ‘&&’ is required if the sanitizer removes semi-colons from command inputs.

Now, let’s practice !

Now we know that, let’s start with a simple command : printing ‘Hello, World !’.

The request we made is printed on webpage

As we can see, no filtering function is used on this web app.

And here it is ! Our command is executed successfully.

The expected result of our command injection

Little tip : Not to have to deal with whois results, we can directly type our aggregator without any argument for whois. Example :

Here a simple way to remove whois results

Let’s list the directory’s content :

Result of the ls command

Getting the flag 😃

Let’s check for the index.php file’s content :

Result of the cat command on the index.php file

At the first glance, nothing. But let’s check the page source to be sure…

Source of the page with our command injection

Thus, the MyWhois flag is FCSC{2e3405155d63a7d82f215d17232ea102314509ecbe90d605cf8be26f4639153b}

Leave a Comment

Your email address will not be published.