OS Command Injection to Meterpreter

Definition: Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

DEMO:

Victim Machine: Here victim is a server (WinXP SP2), hosting DVWA where OS Command Injection is there in “LOW” Security.

OS: Win XP SP2

IP: 192.168.0.102

Web APP: Damn Vulnerable Web Application (DVWA)

1

Attacker Machine:

IP: 192.168.0.104

OS: BackBox 4.7

Browser: Mozilla Firefox

Tool: Commix ([comm] and [i]njection e[x]ploiter)Tamper Data (Mozilla Add-ons)

 

Steps:

  1. First of all we need to find the Injection Point and Cookie for DVWA Command Injection. Tamper Data has been used for this purpose.

2

  1. After finding Cookie and Injection point, We have to run commix from terminal.

3

  1. After successful injection by commix it will ask for pseudo shell and we will choose that to interact with the victim.

4

  1. Before proceed further, we need to create python based reverse tcp listener in metasploit.

5

  1. Let’s continue with commix’s option. We have to select python based reverse shell at the end and provide LHOST and LPORT.

6

  1. After selecting Python based Meterpreter payload a reverse tcp connection will be made with our metasploit listener.

7

References:

  1. https://www.owasp.org/index.php/Command_Injection
  2. http://www.dvwa.co.uk/
  3. https://github.com/commixproject/commix
  4. https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
  5. https://backbox.org
  6. https://portswigger.net/KnowledgeBase/issues/Details/00100100_OScommandinjection

 

Advertisements