Forensic Command Injection Attack (en)

From OnnoWiki
Jump to navigation Jump to search

Command Injection is a type of security vulnerability where attackers can inject malicious commands into user input, which are then executed by the server. DVWA (Damn Vulnerable Web Application) is an excellent platform to learn and practice various web attacks, including command injection. In this tutorial, we will simulate a command injection attack on DVWA running on Ubuntu Server and analyze the digital footprints left behind.

Preparation

Environment:

  • An Ubuntu Server machine with DVWA installed.
  • An attacker machine (which can also be Ubuntu) equipped with forensic tools such as:
    • grep: To search for specific strings in files
    • awk: To process text data
    • sed: To edit text
    • file: To determine file types
    • strings: To extract human-readable strings from binary files
  • Basic understanding of:
    • Command injection concepts
    • Basic Linux operating system
    • Using the terminal and basic commands

Steps

Identifying the Attack Point in DVWA:

  • Login to DVWA and select the appropriate security level (low, medium, high).
  • Find the module vulnerable to command injection. Typically, this module will request user input that is directly executed as a system command.

Executing the Command Injection Attack:

  • Example payloads:
    • To display the contents of a file: `' ; cat /etc/passwd ; '`
    • To execute a shell command: `' ; /bin/bash ; '`
    • Note: The exact payload will depend on the configuration of DVWA and the target system.
  • Enter the payload into the provided input form.

Analyzing Digital Footprints:

  • Server Logs:
    • Access log: Search for entries related to requests containing malicious payloads.
    • Error log: Check for error messages indicating unauthorized command execution attempts.
    • Command: `grep "payload" /var/log/apache2/access.log`
  • Shell History:
    • Root: `cat /root/.bash_history`
    • User: `cat /home/user/.bash_history`
    • Crontab: `crontab -l`
  • Special Log Files:
    • Fail2ban: If installed, check fail2ban logs for failed login attempts.
    • WAF: If using a WAF, check WAF logs for blocked attacks.
  • File System:
    • Newly created files: `find / -name "*newfile*" -mtime -1`
    • Modified files: `find / -mtime -1`

Preventing Command Injection Attacks:

  • Input Sanitization: Always filter and validate all user input before using it in system commands.
  • Escaping Special Characters: Use proper escaping functions to prevent special characters from being interpreted as part of a command.
  • Using Parameterized Queries: Avoid dynamically constructing queries. Use parameterized queries to prevent injection.
  • Principle of Least Privilege: Run web applications with the least privileges necessary.

Additional Tips

  • Use Forensic Tools: Tools like `grep`, `awk`, and `sed` are highly useful for analyzing logs and system files.
  • Learn Obfuscation Techniques: Study techniques to obfuscate payloads, making them harder to detect.
  • Simulate a Realistic Environment: Use virtual machines or isolated environments to experiment.
  • Follow Ethical Principles: Do not attack systems for which you do not have authorization.

Conclusion

Command injection is a serious threat to web application security. By understanding the attack mechanism and forensic techniques, we can be more effective in detecting and preventing such attacks. DVWA is an excellent tool to practice and enhance skills in web application security.

Interesting Links