OS Command Execution using Web Application Vulnerability
In this article We are just looking into command Execution what is it? how we can perform it or how is that possible via Web application and reason behind why this happen with web app step by step.
Before getting started i hope You have a basic knowledge of Unix/Linux Command Line, Basic Syntax and little Knowledge of Programming to Understand How web app interact with Operating System and how we can modify it’s behavior using Commands Execution.
What is Command Execution?
Many Websites make use of Command line calls to read files, Send Emails and perform other Native Command Operations if Your site transform un-trusted input into shell commands, You need to take care to Sanitize The input.
if You don’t, an attacker will be able to craft HTTP request that Execute Whatever Command they want.
Command line execution is One of the most critical vulnerabilities that a penetration tester can come across in a web application Penetration test is to find an application that it will allow him to execute System Commands.The rate of this vulnerability is high because it can allow any unauthorized and malicious user to execute commands from the web application to the system and to harvest large amount of information or to compromise the target host. In this article we will see how we can exploit this vulnerability by using the Damn Vulnerable Web Application for demonstration because it’s (Free)Opensource and build for Testing if i test it any other Site than i have to go Prison anyway lets start.
in this Article I use following tools
virtual machine (VM ware or virtual Machine) for OS — Download Virtual Machine — Download VM ware
Metasploitable OS — Include all The Vulnerable Applcation — Download
Firefox — Browser — Download
DVWA — Vulnerable Appication — Download
Of-course Brain
What is Metasploitable?
Metasploitable is a virtual Linux Operating Machine loaded with many types of vulnerabilities Normally Founds In Operating System That Can be use for Exploiting the Linux Machine. Metasploitable Project is also created and maintained By rapid7 Community (Metasploit-FrameWork Community).Metasploitable is Originally Design For Metasploit Framework Testing . In Simple Words, Metasploitable is a Operating System Based On Linux, Specially Design For Practising Penetration Testing Skills, Network Security Skill, Metasploit-Framework Skills And many more.
Lets Begin B)
launch VM and start Metasploitable os, now note an IP Address and open it on host OS Browser You will see Metasploitable interface, select DVWA(Damn Vulnerable Web Application) from list, Now DVWA ask for Login type default one if you won’t change admin and password, now You’re in DVWA in Bottom Left You can see status of Security Level make sure It was Low, Then after You can See command Execution in left Side list click on it and you will see like this:
By nature Work of this Input is to ping an IP address using Web Interface like
here i put my IP address and Ping one my Network node using This Web interface.
now We check Weather this Input Field is Vulnerable for Execution or not Using Following command
1 | echo opps
here 1 means True Basic Programming, | (Pipe) Operator Run Command Together and echo means okk no need to Explain(So smart Hmmm).
ok Now lets Check Directory Where We are.
1 | pwd
pwd means Present Working Directory.
Now We List-out the Thing in Server Using and also check for the Permission.
ls -la
ls list the things which is available in Directory -la means With it’s Permission.
Now We damn sure it’s vulnerable and easy to access the server access so with out Wasting More time lets Take Server Access and and and Do Whatever You want to do.
We can also execute multiple commands at one time just by using the & sign. And Will check Multiple Command Together.
1 | whoami & ps & w
Here Whoami is used in command to know who is user of Current Session Loged-in to OS and PS represent The Current Process running in Server, w displays information about the users currently on the machine, andtheir processes. The header shows, in this order, the current time,how long the system has been running, how many users are currently logged on, and the system load averages for the past 1, 5, and 15 minutes.
Ok now lets Extract Group Info From Server Using Following Command
1 | cat /etc/group
Here cat print information stored inside the file,and We have a following info after Executing command.
ok, Always in Linux-based operating systems They store user password in /etc/passwd directory so lets extract.
1 | cat /etc/passwd
Now We open the port in Server to put RAT, Virus, Worm, Shell, mining Script or much more in The System using netcat command.
Netcat is a computer networking utility for reading from and writing to network connections using TCP or UDP. Netcat is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts.
1 | netcat -v -e ‘/bin/bash’ -l -p 31337
Here netcat is command -v means verbose mode -l means — shows the services that are waiting for (listen) connections -p means — displays the name and PID of the network service process that awaits connections on the given port.In construction display 0.0.0.0:4444 in the Local Address column means that the service listens to connections on all IP addresses/system interfaces available on port 4444.
now open Terminal in host computer and type following command to take access of Server and Do Whatever You want to do.
Conclusion
Why This Will Happen With Web app? Simple Developer Does not sanitize User Input at all See below Picture To Understand.
Here $target is store Direct Response of the user Without Filter it so We have to Sanitize user input using mysql_realescapestring() - php only and also Validate User Input is Exact IP Address Not String or anything else.
This Hack is Performed With DVWA and it’s Practice application, i wont harm any System for this Hack, and i’m not responsible for any Kind of hack Done by you its Educational Purpose only. B)
I hope You Will Understand my Article and Enjoy it
Peace…
