Command
injection is an attack in which the goal is execution of arbitrary commands on
the host operating system via a vulnerable application. Command injection
attacks are possible when an application passes unsafe user supplied data
(forms, cookies, HTTP headers etc.) to a system shell. In this attack, the
attacker-supplied operating system commands are usually executed with the
privileges of the vulnerable application. Command injection attacks are
possible largely due to insufficient input validation.
This
attack differs from Code Injection, in that code injection allows the
attacker to add his own code that is then executed by the application.
In Code Injection, the attacker extends the default functionality of the
application without the necessity of executing system commands. Source:
Requirement:
Xampp/Wamp
Server
bWAPP
Lab
Kali
Linux: Burp suite, Commix tool
Very
first you need to setup bWAPP lab in your XAMPP or WAMP server, for this you can
visit to my previous article web Pentest lab setup using bwapp here.
Now I m
going to perform os command injection attack using bWAPP
Start service Apache and Mysql
in Xampp or Wamp server. Let’s open the local host address in browser as I am
using 192.168.1.103:81/bWAPP/login.php. Enter user and password bee and bug respectively.
My task is
to bypass all three security level in bWAPP through os command injection.
Let start!
Set security level:
low
Look at below image I have
set the security level low, from option choose you bug select os command injection
now and click on hack.
Type the IP
in the DNS lookup field and just after that start the burp suite in kali Linux.
Don’t forget to set proxy in your browser while using the burp suite.
To capture the cookie of bWAPP click on proxy option
then click to inception is on button, come back to bWAPP and now click to DNS.
As you can see I have capture the cookie in
burp suite.
Open the terminal in kali Linux and type the commix command.
From fetched data under burp suite copy referrer, cookie and
target use this in the following command
commix
--url="http://192.168.1.103:81/bWAPP/commandi.php"
--cookie="PHPSESSID=7pegaf9inlf9iddhb7341k7se7; security_level=0"
--data=target="192.168.1.103&form=submit"
This command will execute the commix tool in terminal which
automatically perform command injection attack using url and cookie information
in bWAPP.
Type
‘y’ to resume the classic injection point and to pseudo terminal shell.
Attack is successful commix provided a commix os shell
Commix (os_shell) > syseteminfo
Set security level: medium
Look at below image now I have set the security
level medium, from option choose you bug select os command injection now and
click on hack.
Repeat the process again as above, Type the IP
in the DNS lookup field and just after that start the burp suite.
Click to inception is on, come back to bWAPP
and now click to DNS. As
you can see I have capture the cookie for medium level in burp suite.
From
fetched data under burp suite copy referrer, cookie and target use this in the
following command.
commix--url="http://192.168.1.103:81/bWAPP/commandi.php"--cookie="PHPSESSID=7pegaf9inlf9iddhb7341k7se7;security_level=1"--data=target="192.168.1.103&form=submit"
Type ‘y’ to
resume the classic injection point and to pseudo terminal shell.
Attack is successful in medium security and again commix
provided a commix os shell.
Commix (os_shell)
> ipconfig
Set security level: high
After achieving os shell of low and medium my
next mode is high security, now I m trying to bypass this level by repeating
same process once again.
Set security high, choose
your bug os command injection and click on hack.
Type the IP in the DNS lookup field and just
after that start the burp suite in kali Linux. From fetched data under burp suite copy
referrer, cookie and target use this in the following command.
commix--url="http://192.168.1.103:81/bWAPP/commandi.php"--cookie="PHPSESSID=7pegaf9inlf9iddhb7341k7se7;security_level=2"--data=target="192.168.1.103&form=submit"
Type ‘y’ to
resume the classic injection point and to pseudo terminal shell. We have
successfully bypass high level also with the same process.
Commix (os_shell)
> systeminfo
0 comments:
Post a Comment