Welcome back everybody and let us start off with the command injection.
If you find anything helpful in this post or funny, will you please leave a like because you will feel great helping other people find it?
Now in the previous video I told you a little bit about the command injection, but let us actually get the practical method of using that attack.
So the command injection, as I said, some web applications can use parts of their operating system to do something, for example, pinging.
Now, usually the command injection itself will run the command on the same server, but depending on the architecture of the server itself it can also execute the command on another server as well.
Now, what I mean by that is, let’s say the same example as before which is pinging the machine. So you go to the website which basically pings the machine. Let me just actually try to find that website.
So I will turn the Burp Suite on.
I will open another terminal for me, and let us actually try to find the legit website that pings another machine or another website.
I believe there are lots of them online so we will just find one of them. So let me just turn on the Burp Suite.
Okay, let us just turn off the intercept and once we turn off the intercept let us go to the Firefox.
So let us just try to search for the simple pinging website maybe that will work, maybe it won’t. I just want to show that those websites do exist. Now, our Firefox is a little bit slow because of the Burp Suite.
So let us just wait for it for a few seconds.
‘Free Ping Test Tool: Ping your server or website’.
So we just click on the first link and let us see what kind of website this is. As we can see, here is the webserver name.
So this is the type of website I was talking about. So basically here you just put your WebServer name and it will ping your server in order to check if it is online or not.
Now, what I was talking about is that if for example, this website was vulnerable to the command injection, we could possibly run any command that we can run in our own terminal also right here and it will process the command in the server’s terminal. But also, it can send the command to another server and we could actually execute this command to another server as well.
So let us start off with the website that we can actually test. You shouldn’t be testing any of these websites you do not own. So even if this one is vulnerable which I doubt since it was first and probably one of the most famous ones it probably isn’t vulnerable to the command injection. But we will use a website that is vulnerable to the command injection.
We need to go visit our virtual machine which is our OWASP machine. Let me just check the IP address of it. It should be .1.6 and let us go to 192.168.1.6.
Now, once you are here, what you want to do is go to the ‘Damn Vulnerable Web Application.’
I believe we didn’t go here before. So just click on this. Now, what this will ask you is the username and password.
Now, you can just type here the username and password which is admin admin. But let us actually try to practice one of the attacks that we’d covered before, and one of those attacks is the Hydra.
So let us actually brute force this login page. It is good practice as we did cover this before. So what we want to do is open our terminal and we’ll do it fast.
I won’t cover any of the syntax since I covered it in previous videos. You can check that out if you want to.
What we basically want to do is type ‘hydra’ and the syntax is similar as in the previous videos. We type the IP address. We are posting the form so http-form-post.
Now, before I complete this actually, let me just show you I do have the same files as before which is the users.txt and passwords.txt. So we’ll use the same lists as in the previous videos.
So let us start again. We type here the IP address and then the post form, so http-form-post and then we specify the link.
Now, in order for us to check out the link let us go right here and we can see that the path is dvwa/login.php.
So let us copy that and let us paste it right here in out syntax.
So once we do that, we want to specify the username and password and we want to click on the ‘Submit’ button and we want to specify a string that it will give for every incorrect log in.
Now, in order for us to see what string it would give let us just type here something random and see what it gives us as an error.
So it gives us ‘login failed’.
So we will use this string in order to specify the correct from the incorrect login credentials.
So now what we want to do is inspect element. So let us inspect the element in order to find out the name of the username and the name of the password login form.
Now, what I mean by that let me just show you. As we can see, form action login.php, method post. We click on arrow down, fieldset in order to find out, and here we can see a label for user username. The name for this field is username which is most likely always going to be something like that, or user, or something like that.
We divide these two with a colon. So we type here username=^USER^ and then this sign &.
Then after that we want to see what is the name of the password field which is probably going to be the name password.
So the name of the password field is password so we specify right here password =^PASS^ and then we want to specify the login button which is called login as we can see right here.
So as we can see, the submit we should type here Login=submit since the name of the button itself is login and the action is submit.
So let us just type that, Login=Submit, and then we specify another colon which means to divide these sections and we specify the string that we get once we provide a wrong username and password which is login failed.
So let us just copy the string and paste it right here, close our apostrophe and then specify the list of user names and the list of passwords. So L users.txt and then capital P passwords.txt and let this run.
It should find the password and username which is admin admin.
And as we can see it finished and it found one available username and one available password.
Now, if you wanted to, you could just type here and skip this part.
It is good always to have a good practice of something that you learned in the previous videos.
And once we are here, what we want to do is we want to go to the command execution part.
So click on the ‘Command Execution’ part and you will see the similar website as the one we visited before which is the Ping for FREE. So basically you just type here, as it says, the IP address and it will ping it.
Now, we can try it. Let us ping my router since it is online of course. I wouldn’t be able to access the internet if it wasn’t and we can see the pinging results.
So it performed three ping scans and we can see that it received three packets. So that’s good.
But let’s say for example, you think that this is vulnerable possibly for the command execution and you try a simple command which is 192.168.1.1 where we specify our router IP address and we type here the ; in order to divide these two commands and we type here for example, whoami.
We did cover this command. It will give the account on the terminal on this WebServer if it is vulnerable to the command execution. So we submit that and we can see that it executed the ping scan and it also gave us the output who is running on that server. Which basically tells us that this server is vulnerable to the command injection.
We were able to execute the command on the server that isn’t only the pinging command.
Now, I will continue to show you how to actually exploit this. For now we just ran a simple command in order to find out whether it’s vulnerable or not.
In the next video I will show you how to exploit this and make that server connect to our own machine.
So that’s about it for this lecture. We will continue in the next one and I hope I see you there.
Final Words from Jerry Banfield.
When you’d like more free tutorials and you want to see the latest of everything I’m making to help you online, I trust you’ll go to jerrybanfield.com and you’ll follow me on Facebook, YouTube and Twitter where you can see all of the free tutorials and previews and courses there.
Thank you for getting through already the first two lectures of it plus all of my sales pitches.
I’m honored you’re here. I hope you love this video.
Where to follow Jerry Banfield
Wow. While I’m asking you to do all these things I might as well just keep asking things see how many of you will go for it, right?
So let’s ask you now will you please follow on Twitter, because I think you’ll love it getting to see everything at one place.
On jerrybanfield.com I’ve got tons of blog posts, books and YouTube videos and you can see all of those. Gaming, everything will be right in your Twitter feed so that when you follow me there’s going to be so much stuff you won’t even hardly be able to see anything else.