{ Command Execution Basic Testing }
| Section 0. Background Information |
- What is Damn Vulnerable Web App (DVWA)?
- Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
- Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
- Pre-Requisite Lab
- Damn Vulnerable Web App (DVWA): Lesson 1: How to Install DVWA in Fedora 14 (hoặc chạy trên máy ảo DVWA do instructor cung cấp)
- Lab Notes
- In this lab we will do the following:
- We will test Command Execution where Security is set to low
- We will demonstrate how other linux/unix commands can be appended to an IP Address for execution.
- We will explorer the code that allows for malicious use.
- Legal Disclaimer : Bài lab chỉ dùng cho mục đích học tập, nghiên cứu về bảo mật.
| Section 1. Configure Fedora14 Virtual Machine Settings |
- Open Your VMware Player
- Instructions:
- On Your Host Computer, Go To
- Start --> All Program --> VMWare --> VMWare Player
- Edit BackTrack Virtual Machine Settings
- Instructions:
- Highlight fedora14
- Click Edit virtual machine settings
- Edit Network Adapter
- Instructions:
- Highlight Network Adapter
- Select Bridged
- Click on the OK Button.
| Section 2. Login to Fedora14 |
- Start Fedora14 VM Instance
- Instructions:
- Start Up VMWare Player
- Select Fedora14
- Play virtual machine
- Login to Fedora14
- Instructions:
- Login: student
- Password: <whatever you set it to>.
-
| Section 3. Open Console Terminal and Retrieve IP Address |
- Start a Terminal Console
- Instructions:
- Applications --> Terminal
- Switch user to root
- Instructions:
- su - root
- <Whatever you set the root password to>
-
- Get IP Address
- Instructions:
- ifconfig -a
- Notes:
- As indicated below, my IP address is 192.168.1.106.
- Please record your IP address.
| Section 4. Disable SELINUX |
- Start a Terminal Console
- Instructions:
- sestatus
- If SELinux status: is set to disabled OR if Current mode: is set to permissive, then skip the next steps, and Continue to the Next Section.
- If SELinux status: is set to enabled AND if Current mode: is set to enforcing, then Continue the next steps.
- Notes:
- In my case, I need to temporarily put selinux in permissive mode to demonstrate basic attacks on DVWA.
- Start a Terminal Console
- Instructions:
- echo 0 > /selinux/enforce
- Placing a "0" in the enforce file, puts selinux in permissive mode.
- sestatus
- Notice that "Current mode:" changed to permissive.
-
| Section 5. Start Up Damn Vulnerable Web App (DVWA) |
- Start up a Web Browser
- Instructions:
- Applications --> Internet --> Firefox
- Notes:
- You can open up a Web browser on any Operating System on your network.
- Working with DVWA does not have to be done on your Fedora machine, the only requirement to play with DVWA is a follow
- The Fedora Server is on the Network.
- httpd is running
- mysqld is running
- DVWA Database setup
- Instructions:
- http://192.168.1.106/dvwa/login.php
- Replace 192.168.1.106 with the IP Address obtained from Section 3, Step 3.
- Username: admin
- Password: password
- "password" is the default password for user admin.
- Set Website Security Level (Part 1)
- Instructions:
- Click on DVWA Security
- Set Website Security Level (Part 2)
- Instructions:
- Select Low
- Click Submit
| Section 6. Command Execution |
- Command Execution
- Instructions:
- Click on Command Execution
-
- Execute Ping
- Notes:
- Below we are going to do a simply ping test using the web interface.
- As an example, ping something on your network.
- Use the IP Address obtained in Section 3, Step 3 if you have nothing else to ping.
- Instructions:
- 192.168.1.106
- Click Submit
- cat /etc/password (Attempt 1)
- Instructions:
- cat /etc/passwd
- Click Submit
- Notes:
- Notice that either a messaging saying illegal IP address was displayed or nothing was returned.
- cat /etc/password (Attempt 2)
- Instructions:
- 192.168.1.106; cat /etc/passwd
- Click Submit
- Notes:
- Notice that we are now able to see the contents of the /etc/passwd file.
- Looking at the weakness
- Instructions:
- Bring up a terminal window (See Section 3, Step 1, if you don't know how)
- cat /var/www/html/dvwa/vulnerabilities/exec/source/low.php
- Notes:
- Notice the two shell_exec lines.
- These are the lines that execute ping depending on which Operating System is being used.
- In Unix/Linux command, you can run multiple command separated by a ";".
- Notice the code does not check that if $target matches an IP Address
- \d+.\d+.\d+.\d+, where "\d+" represents a number with the possibility of multiple digits, like 192.168.1.106.
- The code allows for an attacker to append commands behind the IP Address.
- 192.168.1.106; cat /etc/passwd
- Copy the /etc/passwd file to /tmp
- Instructions:
- 192.168.1.106; cat /etc/passwd | tee /tmp/passwd
- Note:
- Here we are not only displaying the contents of /etc/passwd on the webpage, but also we are copying the /etc/passwd file to the /tmp directory.
-
- Proof of Lab
- Instructions:
- Bring up a terminal windows
- cd /tmp
- ls -l passwd
- date
- echo "Your Name"
- Replace the string "Your Name" with your actual name.
- e.g., echo "An Toàn Thông Tin"
- Proof of Lab Instructions:
- Do a <PrtScn>
- Paste into a word document
- Email to AnToanThongTin.Edu.VN@Gmail.Com
0 nhận xét:
Đăng nhận xét