1
00:00:00,270 --> 00:00:01,000
Welcome back.

2
00:00:01,440 --> 00:00:05,610
In this video, we're going to cover command injection vulnerability.

3
00:00:06,530 --> 00:00:12,350
We already know what this is, and we already covered some type of command injection in the previous

4
00:00:12,350 --> 00:00:15,920
video once we exploited the shell shock vulnerability.

5
00:00:16,640 --> 00:00:20,200
However, now we're going to do it on the Web page itself.

6
00:00:20,660 --> 00:00:24,470
So do you remember this example on the screen that we talked about?

7
00:00:24,950 --> 00:00:31,280
Say we have a website and that website keeping an IP address that would tell it to Pink and it will

8
00:00:31,280 --> 00:00:35,330
tell us whether that IP address is offline or online?

9
00:00:35,990 --> 00:00:40,820
Well, we are going to take a look at this example inside the government display political.

10
00:00:41,860 --> 00:00:48,590
So for this, you want to start your Linux machine and your purpose inside of your Linux machine.

11
00:00:49,010 --> 00:00:55,300
Now we won't be using it in this specific video, but nonetheless, we must have it started because

12
00:00:55,300 --> 00:00:57,930
we connected it to be the proxy to our Firefox.

13
00:00:58,270 --> 00:01:03,410
If it is not open, we won't be able to visit Web pages after that.

14
00:01:03,430 --> 00:01:09,820
You also want to open up your portable virtual machine and check its I.P. address, and then we want

15
00:01:09,820 --> 00:01:14,320
to visit the command injection page on our anticipatable machine.

16
00:01:15,290 --> 00:01:21,470
So go to your Firefox's right here, type in the IP address of your anticipatable, it will lead you

17
00:01:21,470 --> 00:01:25,520
to this official page where we want to go to TBWA.

18
00:01:26,530 --> 00:01:32,320
Let us log in with the credentials that they give us, which is admin for the username and password

19
00:01:32,320 --> 00:01:34,550
for the password, click on login.

20
00:01:34,930 --> 00:01:41,260
We don't want to save these credentials and we want to go to the command execution or otherwise known

21
00:01:41,260 --> 00:01:42,520
as command injection.

22
00:01:43,150 --> 00:01:50,470
But before we attack it, let us go to a security and set the security to look, because right now we

23
00:01:50,470 --> 00:01:53,880
can see down here that the security level is set to high.

24
00:01:54,490 --> 00:01:55,660
So let's go right here.

25
00:01:56,600 --> 00:02:01,110
Check this arrow and click on look now so you can see everything better.

26
00:02:01,130 --> 00:02:03,380
I'm going to zoom all of this in.

27
00:02:03,860 --> 00:02:07,970
And once you said the security level to be low, you want to click on Submit.

28
00:02:08,420 --> 00:02:08,800
Great.

29
00:02:08,960 --> 00:02:11,420
Now, let's go back to our recommend injection.

30
00:02:12,400 --> 00:02:19,600
So as we can see, it tells us that we can ping an IP address for free, so all we need to do is enter

31
00:02:19,600 --> 00:02:24,250
an IP address and it will give us a result of whether it is offline or not.

32
00:02:25,000 --> 00:02:25,960
Let's give it a try.

33
00:02:26,320 --> 00:02:31,120
If we type, for example, the IP address, all my router, which is 192 of the 168.

34
00:02:31,120 --> 00:02:31,410
That one.

35
00:02:31,420 --> 00:02:31,840
That one.

36
00:02:32,260 --> 00:02:33,730
And I click on Submit.

37
00:02:33,940 --> 00:02:36,030
Let us see what it will tell us.

38
00:02:37,470 --> 00:02:44,580
And here is the output, it seems to work and it gives correct results, my router is indeed up and

39
00:02:44,580 --> 00:02:44,960
running.

40
00:02:45,390 --> 00:02:49,920
But if you take a closer look at this output that we got right here.

41
00:02:51,100 --> 00:02:56,660
It seems that this is the same output that we get when running a command inside of a terminal.

42
00:02:56,770 --> 00:02:57,160
Right.

43
00:02:57,940 --> 00:03:06,310
So if I go to my Linux machine and I open the terminal and I type the command ping, when I talk to

44
00:03:06,310 --> 00:03:12,130
the 168, I find that one and I only want to ping it three times if I press enter.

45
00:03:13,020 --> 00:03:19,890
Well, we pretty much get the same result right here, it will ping my router three times and it will

46
00:03:19,890 --> 00:03:23,480
give us a similar output to our anticipatable page.

47
00:03:24,360 --> 00:03:25,200
What does this mean?

48
00:03:25,530 --> 00:03:31,080
Well, it most likely means that this Web page forwards the command to the server, which in our case

49
00:03:31,080 --> 00:03:32,370
is our exploitable machine.

50
00:03:32,670 --> 00:03:38,610
And that machine executes ping command to determine whether that IP is up or not.

51
00:03:39,240 --> 00:03:46,200
Another thing that we get with this page is if we scroll down here, we can see view source and this

52
00:03:46,200 --> 00:03:51,680
is the source code to this page so we can see whether they filter the input or not.

53
00:03:52,020 --> 00:03:54,510
But let us not check source code yet.

54
00:03:54,690 --> 00:03:59,820
Let's not cheat and let's just try to execute command dejection and get it to work.

55
00:04:00,210 --> 00:04:01,650
So how are we going to do that?

56
00:04:02,130 --> 00:04:07,200
Well, we can try to execute to commence inside of this input bar right here.

57
00:04:07,770 --> 00:04:15,020
It does ask us for an IP, but we can also try to get another comment after we specify an IP address.

58
00:04:15,570 --> 00:04:24,080
For example, if I type one or two, that 168, that one, that one and I type dot and comma to separate

59
00:04:24,090 --> 00:04:24,600
commands.

60
00:04:24,810 --> 00:04:31,050
And after it I type Dash L.A., which stands for a list all including hidden files.

61
00:04:31,740 --> 00:04:32,910
And I click on Submit.

62
00:04:33,720 --> 00:04:41,820
And it works, it gave us both results from the both comments back it pink director first and after

63
00:04:41,820 --> 00:04:46,800
it, it executed the command and we can see what falls our target has.

64
00:04:47,730 --> 00:04:53,970
This means there is command injection vulnerability because this is something that we shouldn't be able

65
00:04:53,970 --> 00:04:54,310
to do.

66
00:04:54,480 --> 00:04:58,830
We shouldn't be able to execute other commands outside of this command.

67
00:04:59,730 --> 00:05:02,290
So let us try different commands as well.

68
00:05:02,400 --> 00:05:07,390
So let us enter the same IP address, then dot and comma, and then who am I, for example?

69
00:05:07,920 --> 00:05:11,030
And it does give us the output of that as well.

70
00:05:11,040 --> 00:05:13,330
We're w w w dash data.

71
00:05:14,130 --> 00:05:20,280
OK, but how can we exploit this and gain access to the target with the help of this command injection.

72
00:05:21,270 --> 00:05:28,400
It's quite simple, actually, we can use Nethercutt for that, so if we start a listener in our clinic's

73
00:05:28,410 --> 00:05:35,460
terminal, if I go right here and type and see Dash LWP and then I'm going to use the good old one,

74
00:05:35,460 --> 00:05:36,810
two, three, four, five, PT..

75
00:05:37,260 --> 00:05:39,090
I start my listener right here.

76
00:05:40,010 --> 00:05:46,550
And I go back to this page and run the following comments, so I typed the IP address, then dot and

77
00:05:46,550 --> 00:05:52,850
comma and then and see Dashi, where I tell it, that I want to execute bin Bash.

78
00:05:53,540 --> 00:06:00,770
And I after it specified the IP address or my Linux machine, which in this case is let me just check

79
00:06:00,770 --> 00:06:03,860
it out one or two that 168 at one time.

80
00:06:04,400 --> 00:06:08,480
So I specified right here 168 dot one, dot nine.

81
00:06:08,480 --> 00:06:13,130
And the port is going to be one, two, three, four, five, which is the same port from our listener.

82
00:06:13,430 --> 00:06:19,480
I click on Submit and if I go back to our terminal, we got the connection right here.

83
00:06:19,640 --> 00:06:22,820
So we exploited the command injection vulnerability.

84
00:06:23,360 --> 00:06:25,100
We can run the commands type.

85
00:06:25,220 --> 00:06:31,940
Let's go back and switch through the other directories and we can check out all the other files.

86
00:06:34,790 --> 00:06:37,580
Here is the passport file so we can also check out the passwords.

87
00:06:38,000 --> 00:06:39,920
We can check out other commands as well.

88
00:06:40,130 --> 00:06:42,170
And everything works great.

89
00:06:42,200 --> 00:06:44,030
We exploited this target.

90
00:06:44,840 --> 00:06:46,580
Let us exit out of this.

91
00:06:46,670 --> 00:06:53,270
And now that we successfully exploited this vulnerability, we can take a look at what the source code

92
00:06:53,270 --> 00:06:53,650
was.

93
00:06:54,470 --> 00:06:57,380
So let's go down here, click on View Source.

94
00:06:58,350 --> 00:07:03,150
And if, by and large, all of this so we can see it a little bit better.

95
00:07:04,390 --> 00:07:12,010
If we take a look at it, we will see that it didn't really filter any user input, they just requested

96
00:07:12,010 --> 00:07:19,240
the IP that the user inputs and they forwarded that IP address to the ping command right here and right

97
00:07:19,240 --> 00:07:22,460
here without any filtering whatsoever.

98
00:07:23,350 --> 00:07:28,930
That was a big, big mistake since because of this, we were able to gain access to the target system.

99
00:07:29,770 --> 00:07:35,670
Now let's give it a try on a medium security level and let's see whether we can exploit it then.

100
00:07:36,250 --> 00:07:42,140
So I'm going to close this source code, go back to debate security and change from low to medium.

101
00:07:42,760 --> 00:07:43,660
Click on submit.

102
00:07:44,410 --> 00:07:46,750
And now the security level is medium.

103
00:07:47,470 --> 00:07:49,540
Let's go back to the comment injection.

104
00:07:50,050 --> 00:07:52,610
And now that it is on medium level, let's give it a try.

105
00:07:52,930 --> 00:07:58,160
Let's just start with the same thing that we did previously and try to execute the command.

106
00:07:58,270 --> 00:08:04,450
So if I go right here, type one, two, that 168 at one, that one, and then dot and comma and then,

107
00:08:04,450 --> 00:08:11,760
for example, less Dash eight, if I click on Submit, well, nothing seems to happen.

108
00:08:12,010 --> 00:08:14,010
It doesn't seem to work anymore.

109
00:08:14,650 --> 00:08:20,050
However, luckily this dot and comma aren't the only ways we can run to commence.

110
00:08:20,560 --> 00:08:27,640
If I go to my terminal, if you type for example s dot com, I am I will execute both of these comments.

111
00:08:27,640 --> 00:08:31,030
So it will give us the output of these commands and then Mr. Hacker as well.

112
00:08:31,360 --> 00:08:35,950
But you can also do it like this specified these two sides and then who am I?

113
00:08:36,400 --> 00:08:39,450
And it will do exactly the same thing.

114
00:08:39,820 --> 00:08:41,350
So let's give it a try like this.

115
00:08:41,440 --> 00:08:45,550
Maybe they filter this character, but they didn't filter it like this.

116
00:08:45,970 --> 00:08:49,470
If I go here and type one, I do that 168, that one, that one.

117
00:08:50,050 --> 00:08:56,230
And then these two sides and then, for example, less than a once again click on Submit.

118
00:08:57,340 --> 00:08:59,140
And this will do the same thing.

119
00:08:59,320 --> 00:09:00,550
It will still not work.

120
00:09:01,210 --> 00:09:06,910
OK, let's do the same thing, but just delete one of these sites that we put right here.

121
00:09:07,240 --> 00:09:11,680
If I show you right here, copy the same comment pasted right here.

122
00:09:12,190 --> 00:09:13,690
And I removed one sign.

123
00:09:13,990 --> 00:09:18,870
It will once again execute both of these commands just as two different processes.

124
00:09:18,880 --> 00:09:21,040
So it might execute one before another.

125
00:09:21,290 --> 00:09:23,330
However, it will execute both of them.

126
00:09:23,980 --> 00:09:26,170
Let us go right here and give it a try.

127
00:09:26,260 --> 00:09:37,120
One eye to that 168 ad funded one and then one of the signs and then else a click on Submit and it works.

128
00:09:37,360 --> 00:09:44,170
We get the output of both comments and the output of all of the files inside of the current directory

129
00:09:44,200 --> 00:09:45,370
on the target system.

130
00:09:46,310 --> 00:09:52,210
So first, two tries didn't work, probably because those characters for getting filtered and blocked,

131
00:09:52,430 --> 00:09:54,590
but if we specified like this.

132
00:09:57,400 --> 00:10:03,970
Then it seems to work, it seems to bypass any security and it executes our second command.

133
00:10:04,510 --> 00:10:07,480
So if we go down here and we take a look at the source code.

134
00:10:09,160 --> 00:10:11,620
I enlarged this so we can see the entire code.

135
00:10:12,470 --> 00:10:19,340
It seems that they created some type of a blacklist right here, so they removed these characters and

136
00:10:19,460 --> 00:10:20,930
this character right here.

137
00:10:20,940 --> 00:10:25,630
So anyone that tries to specify command rejection with these characters, it will not work.

138
00:10:26,000 --> 00:10:27,920
That's why this is a medium security level.

139
00:10:28,310 --> 00:10:31,840
And you need to go through a few more commands in order to bypass this.

140
00:10:32,450 --> 00:10:37,970
However, it is still bad because they filter some characters out, but others they don't filter at

141
00:10:37,970 --> 00:10:38,290
all.

142
00:10:38,690 --> 00:10:46,430
For example, besides this one character that we used, we can also exploit it using the pipe characters

143
00:10:46,430 --> 00:10:52,100
so I can type one or two of the 168 at one point and then the pipe, which is this upper line, and

144
00:10:52,100 --> 00:11:00,490
then after it they specify L.A. and this will work as well as we can see if we get the output of a comment.

145
00:11:01,250 --> 00:11:01,700
Great.

146
00:11:01,910 --> 00:11:07,790
Now, if we were to change the security level to high, I think I read somewhere that high is an example

147
00:11:07,790 --> 00:11:09,470
of how the code should be written.

148
00:11:09,710 --> 00:11:11,390
So it isn't really exploitable.

149
00:11:12,020 --> 00:11:13,280
You can change it right here.

150
00:11:13,280 --> 00:11:19,160
You can submit and you can go to the command execution and check out the source code right here.

151
00:11:20,710 --> 00:11:26,590
It seems to only require the integers and it checks whether all of your inputs are integers and it splits

152
00:11:26,590 --> 00:11:28,780
the IP address into four octets.

153
00:11:30,220 --> 00:11:36,160
It does that first explicit right here, and it checks if every octet is an integer and if it is an

154
00:11:36,160 --> 00:11:42,310
integer, then it combines those octet once again back and it pings that target.

155
00:11:43,120 --> 00:11:49,360
OK, so we have covered command injection vulnerability and now you know how to try to find it and exploit

156
00:11:49,360 --> 00:11:53,720
it in the next video, we're going to move on to the next vulnerability.

157
00:11:54,460 --> 00:11:55,060
See you there.