Project 1: Command Injection (15 pts.)

What You Need

Purpose

To understand and exploit the simplest type of vulnerability: command injection.

Introduction to the Bash Command Line

In a Web browser, go to:

https://bellard.org/jslinux/vm.html?url=https://bellard.org/jslinux/buildroot-x86.cfg

Afer a few seconds, a Linux terminal opens, as shown below. Use it to practice these commands:

CommandExplanation
datePrint out the date and time
lsList files and directories in the current working directory
pwdPrint the current working directory
cdMove to your home directory
cd /homeMove to the /home directory
cd ..Move to parent of the current working directory
echo "Hi"Print the the text "Hi"
date >> /tmp/fooPrint the date into the file /tmp/foo
echo "Hi" >> /tmp/fooPrint the text "Hi" into the file /tmp/foo
cat /tmp/fooPrint the contents of the file /tmp/foo
ls -l /tmpList, in long form, the files and folders of the directory /tmp

If you want more information about Bash, try this Unix tutorial.

Task A: Create a File (5 pts.)

Create a file in any directory, with any name, containing your name and the current date and time, like this:

You can use any Linux or Unix system you like--you don't need to use that online shell.

Capturing a Screen Image

Capture a WHOLE-DESKTOP image showing the output of the cat command, as shown above.

To capture a screen image:

Save the image as "Proj 1a from YOUR NAME".

Make sure your image has these required items:

Task B: Exploit the Ping Form (10 pts.)

In a browser, go to http://attack3214.samsclass.info/ping.htm

That form is intended to perform pings, but it is vulnerable and can be exploited to do other things. Get your name on the Winners board, as shown below.

Capturing a Screen Image

Capture a WHOLE-DESKTOP image showing your name on the Winners board.

Save the image as "Proj 1b from YOUR NAME".

Turning in Your Project

Send the images to cnit.129s@gmail.com with a subject of "Proj 1 from YOUR NAME". Send a Cc: to yourself.


Posted 8-14-16 12:11 pm
URL updated 1-17-18 5 pm
Switched to JS Unix 1-24-18