Demo: Command Injection

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 54 minutes
Difficulty
Intermediate
CEU/CPE
3
Video Transcription
00:00
>> That being said, let's look at command injection.
00:00
If we look at Other,
00:00
if you scroll down to command injection,
00:00
you'll see DNS lookup.
00:00
It says, Who would you like to do a DNS lookup on?
00:00
We could do something like google.com and you'll
00:00
see here the server that is using the address,
00:00
the port 53 for DNS,
00:00
and it gives us the address here.
00:00
That looks to me like the ns lookup command.
00:00
Just to mimic that in the terminal,
00:00
ns lookup google.com,
00:00
and you'll see it's using
00:00
a different server here, 19216811,
00:00
whereas this is 192168655,
00:00
but it gives us the same answer here.
00:00
This definitely looks like DNS lookup command.
00:00
If you remember the different characters that we used
00:00
before to test for command injection,
00:00
something that you probably already saw
00:00
that I use is localhost with
00:00
the semicolon and id to figure out if I
00:00
can inject the id command into this web server.
00:00
Although what did I teach you before?
00:00
It's probably better to use a command
00:00
if I know what this web application is,
00:00
it's better to use a command
00:00
that could be both for Windows or Linux.
00:00
I could do who am I,
00:00
and I see www-data.
00:00
You can also figure that out.
00:00
I showed you Developer Tools,
00:00
you can tell by the logo up here that I'm actually
00:00
using the Burp Suite embedded browser.
00:00
But if we look at the network tab
00:00
and we just refresh this page,
00:00
if I look at the first one here,
00:00
I can see the response headers
00:00
that the server's Apache using Ubuntu,
00:00
so I know it's a Linux box, therefore,
00:00
I know I can issue Linux commands.
00:00
Again, we're trying to prove impacts here.
00:00
I've found command injection vulnerabilities
00:00
and we want to pivot here to
00:00
showing the fact that maybe we can
00:00
view sensitive data, delete things,
00:00
getting a shell, of course,
00:00
is the best-case scenario,
00:00
but reading sensitive data
00:00
to me is a very important thing.
00:00
Let's try to find some sensitive data here.
00:00
What I'm going to do is I'm going to try to
00:00
list everything in the base directory here, ls.
00:00
I can see something called secret file here.
00:00
If I do ls again,
00:00
for secret file, I see something called sensitive data.
00:00
Again, I have to keep using this.
00:00
This is why I like using something like
00:00
burp repeater because it makes it a little easier to see.
00:00
Of course, there's a whole bunch of information
00:00
here that makes it a little
00:00
difficult for me to see it in repeater.
00:00
If I go to my history
00:00
and I'm going to bring repeater in here.
00:00
One second, let's make
00:00
it so you can actually see all this.
00:00
If I send this to repeater,
00:00
you can tell this URL encoded right now.
00:00
Well, maybe you can't. We can
00:00
use the decoder feature for this.
00:00
Copy, decoder, paste this in,
00:00
and I'm going to decode as URL.
00:00
We can see here that local host semicolon ls secret file.
00:00
What we want to do is we want to cat or look
00:00
for that sensitive data text file.
00:00
We want to read that, and cat
00:00
is the command we want to use in Linux.
00:00
I could go ahead and I could encode this
00:00
again as URL and you'll
00:00
see encodes the whole thing as URL.
00:00
Then maybe that will work and maybe it won't.
00:00
We can go back to repeater and we
00:00
can paste all this in here,
00:00
and we can see if that does anything.
00:00
We see okay and we can see all the HTML on the page,
00:00
and this is what makes Mutillidae little difficult,
00:00
is you have to get through all this.
00:00
Here, the nice thing is you have a search feature.
00:00
We keep scrolling down
00:00
authentication bypass via brute force.
00:00
The other thing we can do is render this page,
00:00
that makes it look a little nicer.
00:00
There we go. We don't have to
00:00
scroll through all the HTML.
00:00
We can render the page and we
00:00
see that the URL encoded string
00:00
did work and we
00:00
catted that file and it says the answer is 42.
00:00
If you're a fan of Hitchhiker's Guide to the Galaxy,
00:00
you already know the answer is 42 but this is
00:00
simulating the sensitive data
00:00
using the command injection.
00:00
Again, we could get
00:00
a shell on the server, but ultimately,
00:00
we want to prove to a customer or client that we're
00:00
able to read sensitive data
00:00
or do other malicious actions,
00:00
maybe render the service unavailable.
00:00
Of course, you don't want to do that
00:00
when you have a paying customer,
00:00
but that's definitely something
00:00
that you can explain to them.
00:00
The other thing that I want to
00:00
show you is the permissions.
00:00
I tell you all the permissions
00:00
or figure out what permissions you
00:00
have when you're running commands.
00:00
I know the etc password file is something that
00:00
we typically look for it because we know
00:00
any user can read it.
00:00
Now, the other file like
00:00
the etc password file is the etc shadow file.
00:00
The thing about the etc shadow file
00:00
is if it's configured correctly,
00:00
the only one that can read that should be the root user.
00:00
I know I can read etc password.
00:00
Now, let's try to cat etc
00:00
shadow and see if this server is running as root,
00:00
and it's not, or I should say
00:00
the user that we're using here
00:00
www-data does not have
00:00
permissions to read the etc shadow file.
00:00
If the server is running as root,
00:00
I would then be able to read
00:00
the etc shadow file
00:00
because those are the permissions that I have.
00:00
From here if I could get on the server and I could
00:00
escalate privileges to the root user,
00:00
that's what I would try to do next,
00:00
is I would try to get root privileges,
00:00
I would try to read even more sensitive files,
00:00
I'd tried to crack hashes and
00:00
passwords and do things like that.
00:00
That takes a little bit of time but I just
00:00
want to show you some of the basics of command injection.
00:00
Of course, don't just look at forms like this,
00:00
like I've talked about.
00:00
Here's a hint for you when you
00:00
start looking at the shell-shock lab,
00:00
is you can start injecting that into things like
00:00
user agents or cookie information.
00:00
You can start trying to inject commands into
00:00
that and seeing if it works.
00:00
With that in mind,
00:00
we will end our command injection lab here with
00:00
Mutillidae and just remember that it's not just using,
00:00
in this particular case, I use the semicolon.
00:00
But again, we can use some of
00:00
these other commands like double ampersand,
00:00
we can use things like single pipe.
00:00
We see it only executed the second command.
00:00
Recall from the slides what each of those characters are.
00:00
Some of them may work and some of them may not.
00:00
But that's how you want to test forms and parameters
00:00
and even cookie values and
00:00
your headers for command injection vulnerabilities.
Up Next
Scenario: Shellshock
10m
Lab: Command Injection Vulnerability
45m