Скачать или смотреть OS Command Injection | Exploitation | Mitigation | OWASP Top 10

This video goes over the number one vulnerability in web applications, focusing specifically on command injection.

Commands used during the setup :
sudo adduser compromised (Fill in the details)
sudo visudo
Add the following line to the contents of the file opened using visudo :
compromised ALL=(ALL:ALL) NOPASSWD:/home/compromised/script.py
Create a script.py file in the home directory of compromised user with the following contents :
import os
os.system("Hi there " + input ("What is your name : ") + " !")

and then chmod +x script.py
After logging in as the compromised user, you should be able to run the script as root without password with the sudo command.
NOTE: Remove the user and the entry in the sudoers file after practicing command injection since it can leave your machine vulnerable.

Thanks for watching. Please like, share and subscribe.
Timestamps:

0:00 Intro
0:06 Agenda
0:34 What is OWASP
0:46 What is OWASP Top 10
1:01 What is Injection
1:50 What is OS Command Injection
2:44 The Scenario
3:40 Setup
4:07 Discussing the goal
4:28 Breaking out of commands using special characters
6:16 Exploiting the python script using command injection
15:37 Exploiting command injection in DVWA at low security
21:47 Going over the vulnerability in the php code
23:00 Discussing the vulnerability in the php code at medium security
24:00 Exploiting command injection in DVWA at medium security
25:56 Discussing about fuzzing the input parameter
27:10 Using wfuzz to fuzz the input parameter and find the blacklisted characters
34:30 Going over the php code at high security level and explaining how to mitigate the vulnerability
38:00 Exploiting command injection in Mutillidae
43:01 Mitigating command injection vulnerability in applications
44:03 Outro