Pinging hosts by calling exec? That’s a great idea!
Going into this, I had a feeling that it was going to be a command injection. Turns out yet again more accurate labeling by John/Thracky.
The application was a Tomcat/Java EE WAR package. This is just a zip, so you can extract it pretty easily.
Once extracted, you want to find the .class file and toss this into a decompiler.
Here, you can find the vulnerability pretty clearly:
String[] cmd = { "/bin/sh", "-c", "ping -c 4 " + host };
Process process = Runtime.getRuntime().exec(cmd);
Well, that’s a pretty cut and dry command injection.
Lets first list what we know about SH scripts specifically, and what IP addresses/hostnames are supposed to be formatted as.
. and :. IPv6 can use both (it’s weird like that).Incorporating all of these, we can create a regex to match. [A-z0-9.]+[^A-z-.=: \d][\\\^]?/i.
This matches the following:
But the key point, is that it will not match against any special character except: - . = : (space). These are the valid delimiters (= is due to the POST request value formatting.) for IP and hostnames. Any other can be considered an injection attempt.
I highly recommend using regexr.com for writing regex. Immensely useful.
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"pingpong vulnerability"; flow:to_server; content:"POST"; http_method; content:"/pingpong/Ping"; http_uri; content:"host="; pcre:"/host=[A-z0-9.]+[^A-z-.=: \d][\\\^]?/i"; classtype:web-application-attack; sid:1234560002;)