Server Side Injection Explotation in bWapp

In this article you will learn how to exploit any server using server side include injection which is commonly known as SSI.

SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. The attacker can access sensitive information, such as password files, and execute shell commands. The SSI directives are injected in input fields and they are sent to the web server. 
For more information visit owasp.org
 Let’s begin
In your kali Linux open the target IP in browser: 192.168.1.103/bWAPP/login.php. Enter user and password as bee and bug respectively.


Set security level low, from list box chooses your bug select server side include injection now and click on hack.


Now request web page will get open where you can see it is having two text fields for first name and last name respectfully.


Then I had given random name test: test as the first name and last name respectfully, to know what exactly I will receive when I will click on lookup tab. Here first name text filed is vulnerable to SSI injection.


when I clicked on lookup, a new wep page pop up on the window screen which was showning the IP 192.168.1.107 of my Kali Linux.


Now I will try to exploit this vulnerability by sending different types of malicious code into web application.  If you will see following screenshot carefully here I had sent a script which will generate an alert prompt in window screen. To perform this you need to modify text field of first name and type following code inside it.



So when again we will click on lookup then an alert prompt “hack” will pop up in the window screen. Hence it confirms that first name text filed is vulneable.


Similarly I had executed following code which will return current date and time.


So in this way this directive will display the content of http environment variable and from screenshot you can read he highlighted day, date and time.


If I am willing to fetch cookies of the web server then this can be possible here also. Only we need to type following script code in the same text filed.


Now again an alert prompt will pop up with server’s cookie, which we can use for further exploitation.


Using exec directive we can execute a server side command with cmd as parameters. Here I am trying to retrieve all lists of files and folder using following code.


Wonderful!!  So you can see without making proper compromise to the server we have got all present directories inside it.


Now at last finally we will try to access its remote shell using netcat which will help us for establishing a reverse connection with targeted system. Open a terminal to start netcat listener on port 4444 and type following inside vulnerable text filed as done above.


So when again you will click on lookup tab you will get reverse connection through netcat shell  as I have received in following image which means the web application server is hacked where we can execute following command to penetrate more and more.
Id
pwd

0 comments:

Post a Comment