bWAPP Command Injection Exploitation using Commix (Bypass All Security)

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

This attack differs from Code Injection, in that code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands. Source:

https://www.owasp.org/index.php/Command_Injection

Requirement:

Xampp/Wamp Server

bWAPP Lab

Kali Linux: Burp suite, Commix tool

Very first you need to setup bWAPP lab in your XAMPP or WAMP server, for this you can visit to my previous article web Pentest lab setup using bwapp here.

Now I m going to perform os command injection attack using bWAPP

Start service Apache and Mysql in Xampp or Wamp server. Let’s open the local host address in browser as I am using 192.168.1.103:81/bWAPP/login.php. Enter user and password bee and bug respectively.

 My task is to bypass all three security level in bWAPP through os command injection.

 Let start!

 Set security level: low

 Look at below image I have set the security level low, from option choose you bug select os command injection now and click on hack.

Type the IP in the DNS lookup field and just after that start the burp suite in kali Linux. Don’t forget to set proxy in your browser while using the burp suite.

 To capture the cookie of bWAPP click on proxy option then click to inception is on button, come back to bWAPP and now click to DNS.

 As you can see I have capture the cookie in burp suite.

Open the terminal in kali Linux and type the commix command.

From fetched data under burp suite copy referrer, cookie and target use this in the following command

 commix –url=”http://192.168.1.103:81/bWAPP/commandi.php” –cookie=”PHPSESSID=7pegaf9inlf9iddhb7341k7se7; security_level=0″ –data=target=”192.168.1.103&form=submit”

This command will execute the commix tool in terminal which automatically perform command injection attack using url and cookie information in bWAPP.

Type ‘y’ to resume the classic injection point and to pseudo terminal shell.

Attack is successful commix provided a commix os shell

Commix (os_shell) > syseteminfo

Set security level: medium

Look at below image now I have set the security level medium, from option choose you bug select os command injection now and click on hack.

Repeat the process again as above, Type the IP in the DNS lookup field and just after that start the burp suite.

Click to inception is on, come back to bWAPP and now click to DNS. As you can see I have capture the cookie for medium level in burp suite.

From fetched data under burp suite copy referrer, cookie and target use this in the following command.

 commix–url=”http://192.168.1.103:81/bWAPP/commandi.php”–cookie=”PHPSESSID=7pegaf9inlf9iddhb7341k7se7;security_level=1″–data=target=”192.168.1.103&form=submit”

Type ‘y’ to resume the classic injection point and to pseudo terminal shell.

Attack is successful in medium security and again commix provided a commix os shell.

Commix (os_shell) > ipconfig

Set security level: high

After achieving os shell of low and medium my next mode is high security, now I m trying to bypass this level by repeating same process once again.

 Set security high, choose your bug os command injection and click on hack.

Type the IP in the DNS lookup field and just after that start the burp suite in kali Linux. From fetched data under burp suite copy referrer, cookie and target use this in the following command.

commix–url=”http://192.168.1.103:81/bWAPP/commandi.php”–cookie=”PHPSESSID=7pegaf9inlf9iddhb7341k7se7;security_level=2″–data=target=”192.168.1.103&form=submit”

Type ‘y’ to resume the classic injection point and to pseudo terminal shell. We have successfully bypass high level also with the same process.  

Commix (os_shell) > systeminfo

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...

Leave a Reply