Command Injection & SSI
The course is part of this learning path
In this course, we continue working on bWAPP and we're going to use it to learn about some new attacks, namely command injection and SSI vulnerabilities.
Hi. Within this lecture, we're going to see a little bit more hardened security. I'm going to make it medium and we're going to continue working on our SSI Injection. So, this works fine. We didn't break anything or something like that. But if we try that attack that we have tried in the previous lecture, we're going to see that it doesn't work. It doesn't show up our lesson here. Okay? So, it always happens. They may be behind the firewall, maybe they have hardened the security with some kind of filters and stuff that we're going to have to try and see. So, for example, they may actually filter out this whole thing, like the angular braces over here or exclamation mark or maybe they have filtered out the quotation marks. Maybe they have filtered out the whole thing like the execute comment. Okay? We cannot know without trying it. So, this always happens as I said before, so you're going to have to make sure that nothing works here. Like, if they filtered out this, maybe I want to write the whole thing one more time and see what result do I get back? In fact, this is a general rule for all the kind of injections that we're going to see and we have seen. If somebody is trying to filter something out, then we can try the other ways of going around in this. For example, this time, I'm just going to add something and see if they're filtered out as well. And if it's not, then I'm going to just do something else. For example, maybe they have deleted the first couple of things like that. So, I'm going to just add one angular braces over here or smaller than sign. And here you go, it shows that < Sam. So, they're definitely filtering out something. We don't know what it is exactly yet. Maybe they are filtering out whole thing over here, like maybe if it starts with smaller than and some stuff, then it filters out that. I'm just trying something over here, like maybe we can add like this, okay? And try like that. It may work. And it didn't work and it actually broke the whole thing together because I believe it turned it into a comment or something like that. So, what can we do next? We can try to see if the problem is with these quotation marks. So, I'm going to add a couple of those here. No, it didn't work. So, let's see. If we delete the quotation marks, maybe we can get rid of those and see if that's the problem or not. Okay. Maybe it got filtered or it got edit. And here you go. It worked. Again, we have only tried this. I didn't know if it was going to work or not. This is not a rule. Maybe the other trials would be successful in whole another case. Okay? There is no rule in here. If they're trying to filter something out, we can try to write this in different ways and try it. So, I cannot guarantee that this will work or this won't work. So, you're going to have to come up with creative ways to try and see for yourselves. We're going to see the most intense examples for this in the SQLite Injection part, in the SQLite Injection sections. And we're going to see how to bypass filters by just tweaking the parameters that we write our comments, we write. This is one of the examples. This may be related with the firewall, this may be related with the code itself that they have placed for the security. And the best way to understand this is the trial and failure. Okay. So, we covered a lot of injections. Right now, we're going to stop here and continue with whole different kind of section, and then we will move back to SQLite or SQL Injections later on. So, let's meet in the new lecture.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.