The Art of 0-Day Vulnerabilities, Part3: Command Injection and CSRF Vulnerabilities

INTRODUCTION
Hello dear null_byters here we go again with our third part of this serie.

in this third part of our series I'd like to do a demonstration or continuation on fuzzing, but I think I should leave for later because the next tutorials about fuzzing will require from you some basic knowledge about assembly and how things work in the memory, so I thought for now to toast you with the famous RCE and CSRF
REQUIREMENTS:
basic understanding of apache, mysql, linux commands, html, because i wont go so deep on the codes and terms i will use about the listed technology.

RCE --Remote Control Execution
CSRF--Cross Site Request Forgery
I bet you already know the types of vulnerabilities out there,so you have heard about them, these kind of vulnerability are very popular and can lead us too take control over the server when we can successfully run and RCE(one of my favorite ) so today we are going to learn how can we find 0 day RCE and CSRF then exploit it using DVWA, so for this you will need to install it in our machine.
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

In case you already have the DVWA in your machine just scroll down to the part 2 of this tutorial
PART 1 INSTALLING DVWA
so fire up your kali linux, open your favorite browser and download it from www.dvwa.co.uk

Now navigate to the folder you dowloaded the file and unzip it

after unziping(if i can say this word lol) we can run a listing to check if the file was successfully unzipped, and from the above screenshot we can see that the folder is there.
CHANGING AND MOVING THE FOLDER

After that instead of using this default folder(the name) i will change the name of the folder as "null_byte" because for me its more convenient

ok now we have the folder of our DVWA named as null_byte, the tutorial is so long i wish you can go and google the commands i wont explain(like mv, ls and all these basic commands).
For now we have our null_byte vulnerable folder with the contents of DVWA what we are going to do now is to move it to our document root folder(the folder where we will allocate our vulnerable website) in kali linux 2.0 you can find it under /var/www/

we can then run the following command:
mv null_byte /var/wwww
and when we list it we can see that our folder is now in our document root folder

Giving Permissions
Now we need so set permission for this folder for us to be able to read and execute the files inside this folder.
chmod -R 755 null_byte

DATABASE
Now that we have our DVWA in the right folder is time to set our user and password for mysql, just run the following command:
service mysql start
mysql -u root -p

for those who does not know the "-u" stands for user and we will set it as "root" and "-p" password as you can see we set it as blank by hitting just enter when they asked for the password in case you have a password there just type your password.
Creating the database
Now we have to create the database for our DVWA, inside the mysql terminal just run the creating database code(Go and read about mysql commands if you dont know it)

create database nullbyte;
Then we can run the command show to see our database
show databases;
we see from the pic below that our database was successfully created

for now you can exit with the exit command.
EDTING THE CONFIG FILE

Now we have to set up our configuration with the right user,password and ip of our webserver so that our DVWA can run correctly, so open the folder of our DVWA and look for a file called "config.inc.php" and open it with your favorite text editor, i will be using leafpad, from config folder(i had to switch the folder due to technical issues) i bet you will be in the right folder already just run the command are:
leafpad config.inc.php

and edit the db_server to localhost or 127.0.0.1, the database to null_byte as we created above and password to blank, close and save it.

Just to confirm everything will work fine, make sure your document root is /var/www/
in case its /var/www/html/
you can delete the "html" and leave it like that /var/www/
or you can just move our folder to the /var/www/html
save and close it

STARTING APACHE AND MYSQL
Now lets start our apache server that will host our website
service apache2 start
service mysql start

SETTING THE CURL

if you don't know cURL is a computer software project providing a library and command-line tool for transferring data using various protocols. here we will use curl to set up our DVWA
TESTING OUR DVWA
using firefox i will then test our dvwa

As we can see from the pic below we got our DVWA running so now lets exploit it, login with the credentials:
username:admin
password:password

PART 2 RCE AND CSRF VULNERABILITIES
If follow every steps correctly you should be prompted with this welcome page.

First thing we should check is our security level, as for the begin we will set it to low
from the left side bar click on dvwa security then set it to "low" and click on submit.

COMMAND EXECUTION VULENERABILITY
Is used to describe an attacker's ability to execute any commands of the attacker's choice on a target machine or in a target process
Now go again to the side bar and click on command injections, there is an form where you can ping an ip, lets try to ping bingo.com

Good till now everything works fine, but what if instead of just the ip we give a command to it?

wow! we can execute commands to the server through the textfield that was supposed to receive only ips, as we can see ou "ls" worked perfectly, now lets try others.

As you can see we are able to execute commands thought the textfield, we could then build an exploit to make our lives easier, so how did it happened? if you scroll dow in the right corner you will see two fields,where you can view the source code

if you can see from the above picture they used the shellexec without checking the input, without even check if the user inputs are all integer, it did not split the ip to 4 octects, so we can input anything resulting in our favorite brother aka RCE as this kind of 0day are flagged as critical,which means if you find it in a big company you get gold back to your account, go and try more commands by yourself.
CSRF VULNERABILITY
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf1) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

A internet has a lot of websites vulnerable to it, its a good path too for the gold, so lets explore it. Go to the sidebar again and this time click on the CSRF vulnerability, you will see a simple form that allows you to change the admin password, change your admin password to something new i've changed mine to :1234

Now right click anywhere in the form and click to view the source code
and copy the code of the form paste it to a text editor.

Now near name="password_new"
and name="password_conf" add the following:
value="hacked" so now the code should look like that
name="passwprdnew" value="hacked"<br/>
name="passwprdconf" value="hacked"<br/>

Now for the action we have to specify the address or path of our vulnerable form that in my case is 127.0.0.1/null_byte/vulnerabilities/csrf/?
so our final exploit will look like the pic below, save it as exploit.html and run it..

now when we run it we will be able to change the admin password as the pic below

Now you can login with your new password "hacked" ...
For today thats all, now that you have the basic of that, download a cms like the latest version of wordpress, drupal or joomla and try these techniques, and if you are lucky enough you will get a gold,or you can just use some google dorks so find websites using forms and shellexec try them and get the gold..see you soon leave your comments below if you stuck somewhere or want to correct me somewhere..