WebGoat v5.4:
1. Injection Flaws
1.1 Command Injection:
Welcome
again in OWASP WebGoat lessons! After log in (webgoat:webgoat) we will go again
to ‘Injection Flaws’ and this time to ‘Command Injection’.
In our
browser, we should switch now to Burp proxy (127.0.0.1:8080) to prepare our
requests/responses for Burp to edit. (If we can – we can use for this excersise
Data Tamper too – you will find it at Mozilla.org.)
While you’re
in ‘Command Injection’ lesson, you can see that we must do here a little
injection in parameter made for ‘reading files’ from local storage.
Ok. Now
we must set ‘Intercept’ to ‘On’ in our Burp.
In the
screen above, in red frame we have selected place which we will explore. Also
we see a little ‘hint’ (selected by red frame too – starting from „ExecResults for…”.
Now we’re
able to see how ‘file reading’ is done here. We can assume that this ‘place’ is
created like a system() command fromPHP, let’s say, it’s something similar to:
(…)
system(‘cmd.exe /c type
„C:\Users\...\lesson_plans\English\BasicAuthentication.html”’);
(…)
(Quotation
mark and apostrophes ends path to file, we must pay attention to this place.)
Now (with
‘Intercept = On’) we can send to our webapp (WebGoat) ‘command’ to read one of selected
file. Burp will
catch this request, and now we should send it to ‘Repeater’:
Parameter
„HelpFile” allows us to specify a file name to ‘read’ (by cmd.exe in this
case). No user-input
filtering (in this scenario: in ‘give me name of file to read’ parameter)
allows to add ‘other (any) characters’.
So: after
a name (of … .help) file, we can add another (and another…) command – remember how
syntax should be builded (first red-frame).
To successfully
make this attack and add ‘our command’ to command ‘read-file’ we must use
URL-encoding because Windows is using “&” to connect commands (like | or ; in
*nix/Linux).
Webapps use this sign (&) to separate from each other parameters. To avoid confusion here, we will now go to ‘Decoder’
cart in Burp. We should do few steps: “close” cmd.exe (read file X) in way,
when we can add another (our) command. Let’s use ‘ver’ command from Windows.
If our
case is:
(…)\lesson_plans\English\AccessControlMatrix.html" ' (remember about „ and ‘ ).
Our ‘payload’
should be “somewhere” between „ and ‘ sign.
Ok, in
Decoder (Burp) let’s try: ” & ver
and (on the right side
of the window, select now )
‘Encode as’ and choose ‘URL-encode’ method (to change alphabetic to equivalent in
URL-encoding schema.
Vulnerability
in this lesson, works like this: we can add another command (and another one –
could be wrong – to finisz the statement; you will se below). I added few
commands because in case that WebGoat will ‘miss the last command’ – I want to
do ‘more’ commands, even if last one will not work. It won’t be important,
vuln is right now exploited).
Now switch
to ‘Repeater’ cart in Burp, and in a ‘HelpFile’ filename, let’s paste our
URL-encoded value:
Click ‘Go’
to watch the response in window below.
Ok. Now
click ‘show response in browser’ to see this (source code) response in browser.
Looks like that we already exploited RCE vulnerability. :)
Congrats! ;)
And remember to use your knowledge only in legal projects ;)
Cheers o/
No comments:
Post a Comment
What do You think...?