A close variant of operating system command injection is the concept of a web shell, which is a maliciously crafted page that when uploaded to a web server provides a command shell back to the attacker via a webpage. Web shells come in all file formats that are supported by web servers, such as PHP, ASP, ASPX, and all other prominent web programming languages. Web shells require that the hacker must be able to upload the file to the web server and then be able to browse to that location in a browser. If the web server configuration is vulner- able to this, the web shell provides the hacker with the exact functionality of an operating system command injection vulnerability. Also, realize that the web server also must be able to render the uploaded file in order for this attack to work. For example, Apache web servers can’t render .ASPX webpages, so make sure you’re uploading the correct file format for this attack.
For DVWA, you can download a PHP web shell from http://sourceforge.net/ projects/ajaxshell/ and save it into your root directory as Shell_v0_7_prefinal_.zip. Simply unzip the folder by using the right-click menu and the .php file is ready for use. Obviously, you would want to change the filename of this PHP file to be less obvious of its intent in a real hack. To facilitate this attack, we will be using the Upload exercise in DVWA that allows you to upload any file to the DVWA web server as shown in Figure 4.17.
FIGURE 4.17
Successfully uploading the web shell to the web server is the main requirement of this attack, but you still must be able to browse to this newly uploaded page and it’s not always obvious where the application uploads files to on the web server. Upon successful completion of the file upload, the web application provided the following confirmation of the file location: ../../hackable/uploads/Shell_v0_7.
php successfully uploaded! However, the web appli- cation may not always provide details of the exact location on the web server where the uploaded files now reside. You can use the find / -name Shell_v0_7.php command in a terminal to find all the directories that the web shell resides as shown in Figure 4.18.
This search reveals that the web shell file is located three different places on the machine: in the root directory where we originally downloaded it to, in the /var/ www/hackable/uploads directory on the web server, and in a temp directory. Realize that you would need to run the find command via an operating sys- tem command injection attack to have it revealed where on the web server the uploaded file resides. We can be assured DVWA is running in the www directory so we now know http://127.0.0.1/hackable/uploads/Shell_v0_7. php is the exact URL that we need to browse to for access to the uploaded web shell.
Other functionality of the web application can also provide hints as to where your uploaded files are stored. For example, if you’re allowed to upload an ava- tar, you could then check to see where that image is being served from. You could then upload a .php file and try to access that file as it should be in the same directory as your avatar image.
Once you browse to that location, you can login to the web shell with password when prompted to provide a password. This web shell includes several com- monly used commands that you can run with the buttons on the upper left side of the screen. Figure 4.19 shows the output of the shellhelp command when the Readme button is clicked.
All commands that you request in this webpage are sent to the web server for system execution and the results are rendered directly in this webpage! Another example of the quick commands is to click the open ports button to have the netstat -an | grep -i listen command executed on the web server, as shown in
Figure 4.20, to list all active listening connections on the machine.
You can provide your own commands when you click the Execute command link at the top of the screen and a running history will be kept in the Command his- tory window. This command history is read from the bottom up where the most recent command will be at the top of the list. Figure 4.21 shows separate com- mands to make a goats directory and a bah.txt file within that directory all via this web shell!
FIGURE 4.18
Finding the web shell file on the web server.
Operating system commands injections and web shells are very powerful for hackers because they allow system commands to be executed via a web page. The malicious requests of these pages will not look any different than benign web requests, so they are difficult to detect. There is also an on-going game of cat and mouse between security professionals and hackers to see how uploading functionality in web applications can be circumvented to allow web shells to be uploaded and accessed on the web server.
You can even get a primitive command shell on systems that you can’t exploit with this uploaded web shell by piggybacking onto an SQL injection vulnerabil- ity with input such as:
Rel1k' UNION SELECT '<?php system($_REQUEST["cmd"]); ?>',null INTO OUTFILE '/var/www/hackable/uploads/cmd.php'#
FIGURE 4.19
You can then interact with this web shell (executing the ls command in this example) by requesting the following URL: http://127.0.0.1/hackable/uploads/ cmd.php?cmd=ls. You can now execute any operating system command by changing the value of the cmd URL parameter!
FIGURE 4.21
Executing custom commands on the DVWA web server via the web shell.
FIGURE 4.20
87
with Broken Authentication
and Path Traversal
INTRODUCTION
Authentication allows us to sign in to a web application so we have a person- alized browsing experience, while session management keeps tracks of the requests and responses so we can perform multistep actions such as shopping and bill paying. They are really two peas in a pod. Neither authentication nor session management was considered when the HTTP protocol was invented as it is a stateless protocol. So using these two features as the Internet has matured has proved to be a very difficult situation.
Unfortunately, authentication and session management are wrought with vul- nerabilities in many web applications. The tools and techniques used to exploit each differ slightly, but because of the close relationship of authentication and session management it makes perfect sense to investigate them together.
Path traversal attacks occur when hackers are allowed to traipse through the directory structure of the web server. This is most common when web applica- tions allow upload functionality and the user (attacker) crafts a malicious input value that is processed by the web application and allows access to sensitive directories on the web server.
We will look at the directories that are often under attack in both Windows and Linux environments and how these attacks actually take place!