1

Question Summary:

I am trying to create a lab scenario wherein the "attacker" is intended to perform a directory transversal attack from an HTML page and move into the Windows system directories. Can I inject commands into CMD on the victim using the web browser? Can this even be done?

Details:

  1. The goal is to execute the system command prompt on the victim and inject commands using switches.
    • Example: cmd /c ping www.google.com (this post has bearing but I can't seem to get it working)
    • I'm not sure this is possible using the character set available in a URL string.

  2. My current transversal string appears as such:

    • http://192.168.1.119/%5c../%5c../%5c../%5c../%5c/Windows/%5c/System32/%5c/cmd.exe
    • If I substitue in http://127.0.0.1/ above and then run it from the host/victim system, a prompt to run cmd appears in the browser.
    • Currently the html page is being run from a folder within "My Documents" though that will most likely be changed.

  3. Target system is Windows 7, 8 or Server 2012. (Currently using 8 for testing)

  4. Vulnerable web page is being run by simple web-server 1.2
    • This application is designed to be exploited by a transversal attack.
  5. Here is a youtube video that shows an example of the attack being performed against a Windows XP machine running the vulnerable software above to access the boot.ini file.

I've spent a fair amount of time googling this to see if it can be done yet I can't find specific information regarding syntax to inject commands into cmd. It appears that if I were to host my site on a linux system then the attacker might be able to use bash commands to perform the attack, but I am not sure about Windows.

I'm quite new to all this! I've done IT / Sys Admin for a while, but not penetration testing. I'd like to keep this as simple as possible, but I'm learning as well! Help is greatly appreciated!

Community
  • 1
Shrout1
  • 365
  • 1
  • 5
  • 11
  • well... your most likely attack vector would be \\machinename\$c to access the hard drive through the browser, but you will have to be a local administrator on the remote box to do that. – K. Alan Bates Jun 05 '15 at 15:20
  • Are there relevant log files or error messages? – Neil Smithline Jun 05 '15 at 15:35
  • I think my primary problem is that the URL syntax doesn't support escaped forward slashes. They encode as "2f" but they aren't translated back to unicode or ascii (if that is the correct name). Because I can't seem to escape forward slashes I am having a hard time using a switch with cmd. – Shrout1 Jun 05 '15 at 15:37

2 Answers2

2

In MS00-078 it was possible to path traverse and run arbitrary command simply by issuing malformed GET request such

https://wahh-app.com/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\

Web server backend parsed parameters after ? as command line arguments.

Petr Javorik
  • 121
  • 4
1

The answer is "no" it can't be done, at least not with a directory traversal attack by itself. There are several issues here.

1) Directory traversal attacks should be blocked by the Web server to begin with. Of course, since you set up a lab environment, you have control and may have defeated the protection against it.

2) Directory traversal attacks like that will execute an HTTP GET. Which means that it will only retrieve data, not execute something on the target. In order to execute something on the target, you'd need additional vulnerabilities that allow you to run, for instance, an arbitrary executable as a CGI script.

3) Your test with 127.0.0.1 is not valid. It actually downloaded cmd.exe, and then ran it on the local machine - since the download came from 127.0.0.1, you couldn't distinguish between these two scenarios. Also, 127.0.0.1 is probably trusted; you probably wouldn't be able to download cmd.exe from any other computer.

Kevin Keane
  • 1,009
  • 7
  • 8