OWASP A1 INJECTION OTHER
tools: commix burpsuite iceweasel
Vulnerable app:Mutillidae V2.6.30
Came across this tool recently commix (Command Injection eXploiter) so i thought i best put it to the test and heres what i did
commix --url="http://192.168.0.9/mutillidae/index.php?page=dns-lookup.php" --data="target_host=INJECT_HERE&dns-lookup-php-submit-button=Lookup+DNS" --cookie "showhints=1; PHPSESSID=bf0t3nlg0f67u34f36gvaug5r7" --os-cmd="cat /etc/passwd"
so lets look at where we got these parameters from in detail
--url="http://192.168.0.9/mutillidae/index.php?page=dns-lookup.php"
--url="" is the param for entering a url, between the quotes is the ACTUAL url of the web page we want to test command injection on in this case its the dns lookup page of mutillidae
--data="target_host=INJECT_HERE&dns-lookup-php-submit-button=Lookup+DNS"
--data="" is the actual param for entering data in this case its the post data of the request produced when submitting the page, we insert the actual data BETWEEN the double quotes. To get the actual data follow these steps
- on the dns lookup page enter a IP or hostname and click Lookup DNS
- in burp suite highlight the bottom line and replace www.google.com with INJECT_HERE
- then copy & paste the entire line BETWEEN the double quotes
copy the cookie as shown above from burpsuite (or an add on like tamper data) and paste directly between the double quotes
finally we use --os-cmd="cat /etc/passwd"
--os-cmd="" allows a single os command to be executed
cat /etc/passwd is the command we have injected and gives us a list of users in the system
The output is printed to screen as shown below
A more (visually improved) method of getting the output of cat /etc/passwd is via commix built in enumeration by using the switch
--users
watch the video below to see commix in action enumerating users
