Web for Pentesters 1- Code injection and Command Injection

In this section I’ll go through the code and command injection exercises. While code injection and command injection are very similar they differ in execution. In code injection, you deliver the command as part of the data you pass into the web app, i.e in the username field or comment section. In command injection, the web app excepts a certain command to be passed but another command is also inserted with it.

Code Injection

example 1:

The comment string, comments out the last of the code which helps escape the eval function and executes the uname -a command on the server returning the server software.

example 2:

Here we’re closing out the php function, strcmp(), with the ) and closing out the user created function with the }.
After that, we can inject our system function which executes the uname -a command like before. Then commenting out the rest of the code.

example 3:

place the e in-between / and &base to produce the error.
Basically this error means that the server is trying to execute the ‘hacker’ value, but can’t as it does not exist.
So know we can run any command just by replacing the value hacker with any command we want, like so:
Displays the phpinfo page.
This will run the uname -a command on the system and return the system name.

example 4:

adding ‘ or ” to the end of hacker will produce the error.
The assert function in php checks to see if the value passed in is false.
this will escape the assert function and execute the command, phpinfo, and display its contents to the web page.
Next up is command injection.

Command Injection

example 1:

Basically there’s no validation or encoding here, so inserting %26%26cat /etc/passwd outputs the passwd file to the webpage.

example 2:

Here you can by pass the the validation by passing the a newline encoding and passing in a new command.
n(new line) = %0a

example 3:

Using the telnet command, I was able to get the it to work.
telnet <vm’s ip> 80
Then pass in the command:
GET /commandexec/example3.php?ip=|uname+-a HTTP/1.0
This should display the system name in-between pre tags, towards the bottom of the output.

Web for pentesters 1- directory traversal and file include

Continuing with the series of web for pentesters 1 walk-through, this post will focus on directory traversal and file include exercises in the ISO. Let’s start off with what these attacks are and how they can be prevented. First off what is a directory traversal attack? In basic terms, this attack allows someone to view files outside of the web application directory, i.e view the shadow file of the web server. You can prevent this by validating user input and URL’s returned to the server ( more info here).

File inclusion is uploading a file to the server, in a file type that wasn’t intended, like uploading a bash script disguised as a text file. This type of exploit can lead to attacks like cross-site scripting (more info here). You can prevent this by validating the files uploaded by the user (running theme with a lot of exploits). 
As per usual, pentesterlabs has a very good explanation of theses exploits in the course section for this ISO. So with out further delay, here are some sample answers:
Directory Traversal:
example 1:
wget -0 – ‘http://<vmip>/dirtrav/example1.php?file=../../../../../../../etc/passwd’ > e1.txt
outputs the contents into file e1.txt
You could also put the link directly into the browser and have it display the passwd file.
example 2:
example2.php?file=/var/www/file/../../../etc/passwd’ > e2.txt
outputs the contents into file e2.txt
example 3:
File Include:
Use this link from pentesterslab to test for file inclusion
example 1:
This will display the php info page.
example 2:
Append a URL encoded null byte to the end of the string and it will display the php info page.

Web for Pentesters- SQL Injection

Part 2 of the web for pentesters walk-through. In this part, we’ll go through what SQL injection is and how to exploit it in the pentesterlabs virtual machine (here). In basic terms, SQL injection is injecting sql commands into a application and then outputs something the developer didn’t intend. This happens because the developer does not sanitise the users input properly. For this section, it would be really helpfully if you have a url encoder, there are plenty online or build your own one.

The following are some sample answers for the SQL Injection section of the VM, if you need an explanation of how these exploits work, penetesterlab course explains each one perfectly:

example 1:
?name=root’ or ‘1’=’1′ %23
# = %23

example 2:
t=%09 (url encoding)

example 3:

example 4:

example 5:

example 6:

example 7:
?id=2%OA or 1=1
%OA = newline character

example 8:
do what is said in the walkthrough, no real payload as everything is showing already.

example 9:

Web for pentesters 1 Cross-Site Scripting (XSS)

First series of posts will focus on web for pentester 1 by pentesterlab. A walk-through is provided on the site, which I recommend going through before looking at the answers I provide.
Here are some sample answers for the cross-site scripting section of the virtual machine. If you require some explanation as to what cross-site scripting is and how it works, there is a section in the walk-through accompanying this virtual machine on pentester labs, but also nice explanation by Daniel Miessler found here.
If your running some sort of ad-blocker or script-blocker, you may need to disable it for the answers to work.
example 1:
This causes an alert box to pop up.
example 2:
This will cause an alert box to pop up.
example 3:
This will cause an alert box to pop up.
example 4:
<a onmousemove=”alert(1)”/>
Once you move the mouse over the web page, an alert box will pop up.
example 5:
This converts the ascii numbers into the string alert, which will cause an alert box to pop up.
example 6:
Again, another alert box will be displayed.
example 7:
Alert box will be displayed.
example 8:
in the address bar type:
converts the 49 into the number 1. similar to example 5, you can also replace the 49 with a string of ascii.
example 9:
after the # symbol