In this section I’ll go through the code and command injection exercises. While code injection and command injection are very similar they differ in execution. In code injection, you deliver the command as part of the data you pass into the web app, i.e in the username field or comment section. In command injection, the web app excepts a certain command to be passed but another command is also inserted with it.
Continuing with the series of web for pentesters 1 walk-through, this post will focus on directory traversal and file include exercises in the ISO. Let’s start off with what these attacks are and how they can be prevented. First off what is a directory traversal attack? In basic terms, this attack allows someone to view files outside of the web application directory, i.e view the shadow file of the web server. You can prevent this by validating user input and URL’s returned to the server ( more info here).
Part 2 of the web for pentesters walk-through. In this part, we’ll go through what SQL injection is and how to exploit it in the pentesterlabs virtual machine (here). In basic terms, SQL injection is injecting sql commands into a application and then outputs something the developer didn’t intend. This happens because the developer does not sanitise the users input properly. For this section, it would be really helpfully if you have a url encoder, there are plenty online or build your own one.
The following are some sample answers for the SQL Injection section of the VM, if you need an explanation of how these exploits work, penetesterlab course explains each one perfectly:
?name=root’ or ‘1’=’1′ %23
# = %23
t=%09 (url encoding)
?id=2%OA or 1=1
%OA = newline character
do what is said in the walkthrough, no real payload as everything is showing already.