Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Description

This lesson offers participants step by step instructions in using multilidea to discover vulnerabilities through a demo of a command injection. Using a chain of commands, programmers can discover which files are on a web server and see the source code of a PHP file.

Video Transcription

00:04
Hello and welcome to the secure coding course. My name Miss anywhere. And this is tthe e awas. Top 10 for 2013. A one injection demo for command injection.
00:18
This is the command injection demo.
00:22
We're using Mattila Day to actually illustrate this particular vulnerability.
00:28
Now, in this page, we just have a host name, Look up or an I P address. Look up. It doesn't in us. Look up on the back end
00:38
Based on whatever's typed in the textbooks. The problem is that there is absolutely no validation being done
00:47
for the value that's placed within this tax box. And so because there's no input validation or any type of white listing to restrict what is put in here, we are at liberty to put anything we like.
01:04
Now, if I were to
01:07
run this as it should be run, I would put in here and I pee or host name.
01:14
And then you would see the results of the Ennis look up.
01:19
So it gives me the I P address.
01:23
But being nefarious, we want to actually try
01:27
to instead
01:30
chained together
01:33
multiple
01:34
commands that we can then run on this particular operating system. So if this were a Windows operating system. We could probably give it a directory command of D. I. R.
01:49
And sure enough, it comes back and gives me a directory listing off all the files on the Web server.
01:59
Now we could continue this and
02:04
type command to actually
02:08
look at the index file,
02:12
and as a result, you can see that we can now see the source code of the PHP file
02:19
and this can go on. And so, because of the lack of input, validation or white listing for the value received within this text box,
02:29
this is the reason for the command injection vulnerability.

Up Next

Secure Coding

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.

Instructed By

Instructor Profile Image
Sunny Wear
Instructor