1. Injection Flaws
1.1 Command Injection:
Welcome again in OWASP WebGoat lessons! After log in (webgoat:webgoat) we will go again to ‘Injection Flaws’ and this time to ‘Command Injection’.
In our browser, we should switch now to Burp proxy (127.0.0.1:8080) to prepare our requests/responses for Burp to edit. (If we can – we can use for this excersise Data Tamper too – you will find it at Mozilla.org.)
While you’re in ‘Command Injection’ lesson, you can see that we must do here a little injection in parameter made for ‘reading files’ from local storage.
Ok. Now we must set ‘Intercept’ to ‘On’ in our Burp.
In the screen above, in red frame we have selected place which we will explore. Also we see a little ‘hint’ (selected by red frame too – starting from „ExecResults for…”.
Now we’re able to see how ‘file reading’ is done here. We can assume that this ‘place’ is created like a system() command fromPHP, let’s say, it’s something similar to:
system(‘cmd.exe /c type „C:\Users\...\lesson_plans\English\BasicAuthentication.html”’);
(Quotation mark and apostrophes ends path to file, we must pay attention to this place.)
Now (with ‘Intercept = On’) we can send to our webapp (WebGoat) ‘command’ to read one of selected file. Burp will catch this request, and now we should send it to ‘Repeater’:
Parameter „HelpFile” allows us to specify a file name to ‘read’ (by cmd.exe in this case). No user-input filtering (in this scenario: in ‘give me name of file to read’ parameter) allows to add ‘other (any) characters’.
So: after a name (of … .help) file, we can add another (and another…) command – remember how syntax should be builded (first red-frame).
To successfully make this attack and add ‘our command’ to command ‘read-file’ we must use URL-encoding because Windows is using “&” to connect commands (like | or ; in *nix/Linux).
Webapps use this sign (&) to separate from each other parameters. To avoid confusion here, we will now go to ‘Decoder’ cart in Burp. We should do few steps: “close” cmd.exe (read file X) in way, when we can add another (our) command. Let’s use ‘ver’ command from Windows.
If our case is:
(…)\lesson_plans\English\AccessControlMatrix.html" ' (remember about „ and ‘ ).
Our ‘payload’ should be “somewhere” between „ and ‘ sign.
Ok, in Decoder (Burp) let’s try: ” & ver
and (on the right side of the window, select now ) ‘Encode as’ and choose ‘URL-encode’ method (to change alphabetic to equivalent in URL-encoding schema.
Vulnerability in this lesson, works like this: we can add another command (and another one – could be wrong – to finisz the statement; you will se below). I added few commands because in case that WebGoat will ‘miss the last command’ – I want to do ‘more’ commands, even if last one will not work. It won’t be important, vuln is right now exploited).
Now switch to ‘Repeater’ cart in Burp, and in a ‘HelpFile’ filename, let’s paste our URL-encoded value:
Click ‘Go’ to watch the response in window below.
Ok. Now click ‘show response in browser’ to see this (source code) response in browser.
Looks like that we already exploited RCE vulnerability. :)
And remember to use your knowledge only in legal projects ;)