1 00:00:00,900 --> 00:00:10,350 Sometimes, for some reason, Web applications try to perform tasks by executing system level commands. 2 00:00:11,810 --> 00:00:15,800 So in order to run Goodman's Web applications, communicate with the U.S.. 3 00:00:17,340 --> 00:00:24,450 So if an application doesn't do this properly, this functionality can be exploited. 4 00:00:25,890 --> 00:00:31,470 So the U.S. command injection vulnerabilities occur at this crossroads. 5 00:00:32,590 --> 00:00:39,940 So due to insufficient input validation, a user can inject those commands via a web interface like 6 00:00:39,940 --> 00:00:41,200 an actual injection. 7 00:00:42,780 --> 00:00:50,490 And these commands will be executed by the Web server OS now, depending on the level of privilege that 8 00:00:50,490 --> 00:00:54,070 the Web server software has, the result can be devastating. 9 00:00:54,930 --> 00:00:56,160 Don't let's fool ourselves. 10 00:00:57,750 --> 00:01:00,570 So open up, Carly, and log in to be Web. 11 00:01:01,610 --> 00:01:03,800 Choose OS command injection. 12 00:01:05,580 --> 00:01:09,300 And it's a sample page doing OS level things. 13 00:01:10,570 --> 00:01:14,950 And it shows the DNA information for the input value. 14 00:01:16,440 --> 00:01:22,890 Now, I would avoid querying the NSA, but you can go ahead and do it. 15 00:01:23,840 --> 00:01:25,610 No, strike that from the record. 16 00:01:27,040 --> 00:01:30,580 OK, so type Google dot com and look it up. 17 00:01:32,100 --> 00:01:34,080 So something does happen. 18 00:01:34,110 --> 00:01:34,650 What is it? 19 00:01:35,070 --> 00:01:36,210 So let's view this horse. 20 00:01:37,540 --> 00:01:39,010 So maybe we've got something here. 21 00:01:40,590 --> 00:01:43,530 Oh, nothing's here either, so go back. 22 00:01:45,170 --> 00:01:46,160 Open your terminal. 23 00:01:47,240 --> 00:01:48,590 Now I'm going to view the code. 24 00:01:51,200 --> 00:01:52,670 So scrolling down. 25 00:01:53,840 --> 00:01:57,860 OK, so based on levels, it looks like there are some security checks. 26 00:01:58,940 --> 00:02:03,840 We can look for Jack one and check two later, so keep scrolling down. 27 00:02:04,700 --> 00:02:05,990 So here's the main part. 28 00:02:06,830 --> 00:02:15,080 As you can see, the page use shell exactly is a built in function to execute and as up command on the 29 00:02:15,080 --> 00:02:16,130 operating system. 30 00:02:17,290 --> 00:02:18,520 So that's all here. 31 00:02:20,000 --> 00:02:22,130 The functions are in this file. 32 00:02:23,980 --> 00:02:27,010 So here are the command injection check functions. 33 00:02:28,830 --> 00:02:32,490 So the first one clears the ampersand and the semicolon. 34 00:02:33,570 --> 00:02:40,860 And the second function calls for a built in function escape command show, so this function is used 35 00:02:40,860 --> 00:02:42,480 to escape system commands. 36 00:02:43,410 --> 00:02:45,030 OK, enough with the code. 37 00:02:46,490 --> 00:02:54,860 Now, after the NSA Look-Up Command comes the target, so in a low level, there's no check. 38 00:02:55,630 --> 00:03:02,240 We can run several OS commands after the target by adding some special characters. 39 00:03:03,490 --> 00:03:10,370 Now, let's delete the NSA address type, Google dot com and WD and then go. 40 00:03:11,640 --> 00:03:13,440 And we see the BW rectory. 41 00:03:15,000 --> 00:03:20,190 Oh, I'm so bored by deleting the NSA each time, but. 42 00:03:21,170 --> 00:03:25,040 I'm just a little paranoid, so let's enable Foxe proxy. 43 00:03:27,480 --> 00:03:30,180 We can choose from autocomplete. 44 00:03:32,190 --> 00:03:32,640 And go to. 45 00:03:34,330 --> 00:03:35,620 Nothing change here. 46 00:03:36,810 --> 00:03:40,350 So send it to the repeater and then let it go. 47 00:03:41,990 --> 00:03:43,040 Over the repeater now. 48 00:03:44,520 --> 00:03:46,660 Yeah, I think I think he like this, too. 49 00:03:46,910 --> 00:03:47,650 I know, I do. 50 00:03:48,410 --> 00:03:49,450 It's really handy, though, right? 51 00:03:50,560 --> 00:03:54,040 Never mind, so send the first request as it is. 52 00:03:55,030 --> 00:03:58,240 And yeah, so we can get the response. 53 00:03:59,240 --> 00:04:02,870 And then now we can modify it here. 54 00:04:04,390 --> 00:04:05,950 You can do it however you want. 55 00:04:06,910 --> 00:04:08,740 I have a list. 56 00:04:09,930 --> 00:04:16,200 I'm going to share it with you so you can try to cut while many possibilities. 57 00:04:17,710 --> 00:04:20,310 What do I hear you say, where's the password file? 58 00:04:20,730 --> 00:04:21,880 No, I didn't forget it. 59 00:04:24,650 --> 00:04:25,250 It's here. 60 00:04:26,260 --> 00:04:34,120 I with what I do, it's actually routine, so I find the vulnerability, then display some important 61 00:04:34,120 --> 00:04:38,860 files and I try to open a basic reverse shell with Netcare at. 62 00:04:40,320 --> 00:04:42,660 And I typically do not break my routine. 63 00:04:43,560 --> 00:04:45,420 So I'll type which ency? 64 00:04:46,490 --> 00:04:49,520 And scrolling down, yeah, it's here. 65 00:04:50,820 --> 00:04:54,120 So now I'm going to paste the one line that Cashell. 66 00:04:55,110 --> 00:05:00,180 And before sending let me make Nat Cat listen. 67 00:05:01,440 --> 00:05:04,710 So now Neck Cat listens for incoming connections. 68 00:05:06,210 --> 00:05:08,400 And go to the repeater again. 69 00:05:09,890 --> 00:05:11,180 Click on the send button. 70 00:05:13,430 --> 00:05:18,920 Well, I think we got the show because there's nothing here on the right pane, so let's open up the 71 00:05:18,920 --> 00:05:19,430 terminal. 72 00:05:20,670 --> 00:05:29,250 And see the shell from B box so you can type some bash commands, I.D., you name. 73 00:05:29,820 --> 00:05:30,650 Who am I? 74 00:05:32,180 --> 00:05:33,140 Just like that.