The Art of 0-Day Vulnerabilities, Part3: Command Injection and CSRF Vulnerabilities

Nov 18, 2015 08:48 PM
Nov 18, 2015 08:57 PM
635834402342230171.jpg

INTRODUCTION

Hello dear null_byters here we go again with our third part of this serie.

in this third part of our series I'd like to do a demonstration or continuation on fuzzing, but I think I should leave for later because the next tutorials about fuzzing will require from you some basic knowledge about assembly and how things work in the memory, so I thought for now to toast you with the famous RCE and CSRF

REQUIREMENTS:

basic understanding of apache, mysql, linux commands, html, because i wont go so deep on the codes and terms i will use about the listed technology.

RCE --Remote Control Execution

CSRF--Cross Site Request Forgery

I bet you already know the types of vulnerabilities out there,so you have heard about them, these kind of vulnerability are very popular and can lead us too take control over the server when we can successfully run and RCE(one of my favorite ) so today we are going to learn how can we find 0 day RCE and CSRF then exploit it using DVWA, so for this you will need to install it in our machine.

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

In case you already have the DVWA in your machine just scroll down to the part 2 of this tutorial

PART 1 INSTALLING DVWA

so fire up your kali linux, open your favorite browser and download it from www.dvwa.co.uk

635834339529885949.jpg

Now navigate to the folder you dowloaded the file and unzip it

635834340527542106.jpg
635834341528167675.jpg
635834340527542106.jpg
635834341528167675.jpg

after unziping(if i can say this word lol) we can run a listing to check if the file was successfully unzipped, and from the above screenshot we can see that the folder is there.

CHANGING AND MOVING THE FOLDER

After that instead of using this default folder(the name) i will change the name of the folder as "null_byte" because for me its more convenient

635834344687542861.jpg

ok now we have the folder of our DVWA named as null_byte, the tutorial is so long i wish you can go and google the commands i wont explain(like mv, ls and all these basic commands).

For now we have our null_byte vulnerable folder with the contents of DVWA what we are going to do now is to move it to our document root folder(the folder where we will allocate our vulnerable website) in kali linux 2.0 you can find it under /var/www/

we can then run the following command:

mv null_byte /var/wwww

and when we list it we can see that our folder is now in our document root folder

635834349651917573.jpg

Giving Permissions

Now we need so set permission for this folder for us to be able to read and execute the files inside this folder.

chmod -R 755 null_byte

635834351771763274.jpg

DATABASE

Now that we have our DVWA in the right folder is time to set our user and password for mysql, just run the following command:

service mysql start

mysql -u root -p

635834353633950477.jpg

for those who does not know the "-u" stands for user and we will set it as "root" and "-p" password as you can see we set it as blank by hitting just enter when they asked for the password in case you have a password there just type your password.

Creating the database

Now we have to create the database for our DVWA, inside the mysql terminal just run the creating database code(Go and read about mysql commands if you dont know it)

create database nullbyte;

Then we can run the command show to see our database

show databases;

we see from the pic below that our database was successfully created

635834356697075223.jpg

for now you can exit with the exit command.

EDTING THE CONFIG FILE

Now we have to set up our configuration with the right user,password and ip of our webserver so that our DVWA can run correctly, so open the folder of our DVWA and look for a file called "config.inc.php" and open it with your favorite text editor, i will be using leafpad, from config folder(i had to switch the folder due to technical issues) i bet you will be in the right folder already just run the command are:

leafpad config.inc.php

635834359793323196.jpg
635834363990982111.jpg
635834359793323196.jpg
635834363990982111.jpg

and edit the db_server to localhost or 127.0.0.1, the database to null_byte as we created above and password to blank, close and save it.

Just to confirm everything will work fine, make sure your document root is /var/www/

in case its /var/www/html/

you can delete the "html" and leave it like that /var/www/

or you can just move our folder to the /var/www/html

save and close it

635834365052698879.jpg

STARTING APACHE AND MYSQL

Now lets start our apache server that will host our website

service apache2 start

service mysql start

635834368269418708.jpg

SETTING THE CURL

635834372139573507.jpg

if you don't know cURL is a computer software project providing a library and command-line tool for transferring data using various protocols. here we will use curl to set up our DVWA

TESTING OUR DVWA

using firefox i will then test our dvwa

635834392017854761.jpg

As we can see from the pic below we got our DVWA running so now lets exploit it, login with the credentials:

username:admin

password:password

635834402342230171.jpg

PART 2 RCE AND CSRF VULNERABILITIES

If follow every steps correctly you should be prompted with this welcome page.

635834398444574981.jpg

First thing we should check is our security level, as for the begin we will set it to low

from the left side bar click on dvwa security then set it to "low" and click on submit.

635834410530199047.jpg

COMMAND EXECUTION VULENERABILITY

Is used to describe an attacker's ability to execute any commands of the attacker's choice on a target machine or in a target process

Now go again to the side bar and click on command injections, there is an form where you can ping an ip, lets try to ping bingo.com

635834428319888270.jpg

Good till now everything works fine, but what if instead of just the ip we give a command to it?

635834429487387905.jpg

wow! we can execute commands to the server through the textfield that was supposed to receive only ips, as we can see ou "ls" worked perfectly, now lets try others.

635834430491917640.jpg
635834430846448473.jpg
635834430491917640.jpg
635834430846448473.jpg

As you can see we are able to execute commands thought the textfield, we could then build an exploit to make our lives easier, so how did it happened? if you scroll dow in the right corner you will see two fields,where you can view the source code

635834433928323429.jpg

if you can see from the above picture they used the shellexec without checking the input, without even check if the user inputs are all integer, it did not split the ip to 4 octects, so we can input anything resulting in our favorite brother aka RCE as this kind of 0day are flagged as critical,which means if you find it in a big company you get gold back to your account, go and try more commands by yourself.

CSRF VULNERABILITY

Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf1) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

A internet has a lot of websites vulnerable to it, its a good path too for the gold, so lets explore it. Go to the sidebar again and this time click on the CSRF vulnerability, you will see a simple form that allows you to change the admin password, change your admin password to something new i've changed mine to :1234

635834451032745069.jpg

Now right click anywhere in the form and click to view the source code

and copy the code of the form paste it to a text editor.

635834456271009930.jpg

Now near name="password_new"

and name="password_
conf" add the following:

value="hacked" so now the code should look like that

name="passwprdnew" value="hacked"


name="passwprd
conf" value="hacked"

635834462178994815.jpg

Now for the action we have to specify the address or path of our vulnerable form that in my case is 127.0.0.1/null_byte/vulnerabilities/csrf/?

so our final exploit will look like the pic below, save it as exploit.html and run it..

635834467346941379.jpg
635834469183407210.jpg
635834467346941379.jpg
635834469183407210.jpg

now when we run it we will be able to change the admin password as the pic below

635834470171466433.jpg

Now you can login with your new password "hacked" ...

For today thats all, now that you have the basic of that, download a cms like the latest version of wordpress, drupal or joomla and try these techniques, and if you are lucky enough you will get a gold,or you can just use some google dorks so find websites using forms and shellexec try them and get the gold..see you soon leave your comments below if you stuck somewhere or want to correct me somewhere..

Hacked by Mr__Nakup3nda

Comments

No Comments Exist

Be the first, drop a comment!