Scribd
Upload
26 views8 pages

Lab2 Thai SE161457

The document discusses OS command injection vulnerabilities in web applications, detailing various levels of security and their respective weaknesses. It outlines the analysis and attack methods for low, medium, high, and impossible levels of command injection, emphasizing the importance of input validation and sanitization. Recommendations include validating user input, using parameterized queries, limiting OS command usage, and maintaining updated software to enhance security against such vulnerabilities.

Uploaded by

Nguyen Hong Thai (K16HCM)
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
26 views8 pages

Lab2 Thai SE161457

The document discusses OS command injection vulnerabilities in web applications, detailing various levels of security and their respective weaknesses. It outlines the analysis and attack methods for low, medium, high, and impossible levels of command injection, emphasizing the importance of input validation and sanitization. Recommendations include validating user input, using parameterized queries, limiting OS command usage, and maintaining updated software to enhance security against such vulnerabilities.

Uploaded by

Nguyen Hong Thai (K16HCM)
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 8

Class: IA1603

Name: Nguyen Hong Thai


Roll number: SE161457

OS command injection – DVWA


1. Introduction
- OS command injection is a web security vulnerability that allows an attacker to execute arbitrary commands
on the underlying operating system of a web application server. It occurs when untrusted user input is passed to
the system shell without being properly sanitized.
- In this lab, the systems asks for user input and asks for an IP address to be filled in the IP Address form.

2. Preparation
- Computer running OS windows. Required all firewall are disable.
- Download Xampp and DVWA from github.
- Two machines are Window 7 and Kali.
3. Level Low
- Analysis :

+ From the source code, I see that I can input a random integer or any
character instead of the IP address because the system did not validate user
input (1).
+ I can also use operator (meta-character) to trick the shell into executing
arbitrary commands (2).
- Attack:
+ Payload: 192.168.50.195 && ver

4. Level Medium
- Analysis:
+ From the source code, I can also still input a random integer or any
character instead of the IP address because it did not validate user input (1).
+ I see there are two characters that the system substituted: && and; . It
means when I input one of these, the character will be replaced as a blank (2).
+ I can also use operator (meta-character) to trick the shell into executing
arbitrary commands (3).
- Attack:
+ Payload: 192.168.50.195 | dir C:\
5. Level High
- Analysis:

+ I also input anything like low or medium level, but here, the admin use a
trim function so any space in the first array [0] and the last array [∞] will be
removed (1).
+ The system also uses a substitutions function, and the character will be
replaced as a blank in the array (2).
+ I can also use operator (meta-character) to trick the shell into executing
arbitrary commands (3).
- Attack:
+ Payload: 192.168.50.195|dir
-I will use “|” without any space after that because the system will
replace the “| ” if i use extra space.
=> 192.168.50.195|| dir
=> 192.168.50.195|”| “dir
=> 102.168.50.195|dir

6. Level Impossible
- Analysis:
+ First, i see it use function generateSessionToken() to create a unique token
and save to session. Purpose of this is create a CSRF token to present CSRF
attack.
+ Using stripslashes removes special characters and limits command
injection.
+ Use the explode() function to divide the input IP into 4 parts corresponding
to 4 octets of the IP. Then check each part is an integer using the is_numeric()
function. This helps eliminate special characters that can lead to command
injection.
+ Use shell_exec instead of system to avoid system parameter attacks.
- Update something to make the code a lot of more secure:
+ Use escaping shell arguments:
- I see in this code, they still using shell_exec() PHP function without
including escapeshellarg() function in it, even the impossible one too.

- I recommend use escapeshellarg() so every meta-character in a string


will be escaped and the string will be added a quote around it and the
string can be passed directly to the shell and will be treated as a single
safe argument.
7. Comparasion

Security Low Medium High Impossible


Requiremen
t
Validate IP No IP No IP Validates and Validates each element
Address validation, validation, removes of the IP address as
allows allows unnecessary integers.
arbitrary arbitrary whitespace at
input. input. the beginning
and end.
Prevent Possible to Replaces && Possible to Uses stripslashes to
Command use meta- and ; with use meta- remove special
Injection characters for whitespace. characters for characters and
arbitrary arbitrary mitigates command
command command injection.
execution. execution.
Proper Input Does not Does not Removes Divides IP into 4 parts
Handling handle input handle input unnecessary and checks each part
properly. properly. whitespace for integers.
and replaces
characters in
an array.
Prevent CSRF No CSRF No CSRF No CSRF Uses
Attacks attack attack attack generateSessionToken(
prevention prevention prevention ) to create a CSRF
measures measures measures token.
mentioned. mentioned. mentioned.
Secure System Possible to Possible to Possible to Uses shell_exec
Commands use meta- use meta- use meta- instead of system to
characters characters characters avoid system
for system for system for system parameter attacks.
command command command
attacks. attacks. attacks.

8. Recommendation
- Validate, sanitize and escape all user-provided data before using it in OS
commands. Remove special characters like ';', '|', '&' that could alter the intended
command behavior.
- Use parameterized queries or prepared statements when interacting with databases
to prevent SQL injection. Don't concatenate user input directly into SQL queries.
- Limit the use of OS commands and functions that interact with the system like
system(), exec(), shell_exec() etc. If possible, use alternative approaches.
- Run applications and services with least privilege to limit damage if a
vulnerability is exploited. Don't use root/admin accounts unnecessarily.
- Keep software updated by applying all security patches in a timely manner. Many
vulnerabilities are addressed in updates.
- Use a web application firewall (WAF) and configure it to detect and block
suspicious patterns in requests indicative of command injection attempts.

You might also like