Premise
In this post walkthrough, we reviewed one of the common issues found during web application penetration testing. Insufficient input validation and lack of character sanitization create these kinds of security misconfigurations. We used bWAPP from OWASP to demonstrate that.
Skills Learned
- bWAPP
- OWASP
- Input validation
- Command Injection
Finding the Weak Spot
I start by looking at a website that has a DNS lookup feature. You type in a website or an IP address, and it gives you the DNS information. Now, any place on a website where you can type something in is a potential target for a command injection attack. I take a look at the website’s code and see that a file called command.php is handling whatever I type into the box. This is where I’ll focus my attack.
Spying on the Request
To understand what’s happening behind the scenes, I use a tool called Burp Suite. This lets me intercept the information being sent from my browser to the server. I can see that when I type a website address into the lookup box, it’s sent to the server as a variable called target.
Injecting the Command
Now for the fun part. I can inject my own commands into the input field by using a semicolon (;). The semicolon tells the server to run my command after it runs the original DNS lookup command. The great thing about using a semicolon is that my command will run even if the first command fails. This is different from using an ampersand (&), which would only run my command if the first one was successful.
Taking Control
First, I show you how to inject a simple ls command. This lists all the files in the current directory on the server, proving that I can run my own commands.
Next, I take it a step further and show you how to get a shell on the server. I set up a listener on my own computer and then inject a Netcat command into the website. This command tells the server to connect back to my computer, giving me a command-line interface to the server.
Once I have the shell, I can run commands to gather information about the system. I use the id command to see what user the web server is running as (in this case, www-data), and the uname -a command to see what version of the operating system it’s running.
How to Protect Yourself
I wrap up by explaining how to prevent these kinds of attacks. The most important thing is input validation. You should never trust user input. Make sure to block special characters like semicolons and slashes in any input fields on your website.
Commands I Used
Here are the technical commands I used in the terminal during the demonstration:
lsnc -lvp [port number]iduname -a
Reading your article helped me a lot and I agree with you. But I still have some doubts, can you clarify for me? I’ll keep an eye out for your answers.