File upload vulnerability to Meterpreter

Vulnerability Name: Arbitrary file upload vulnerability in DVWA frame work in “low” section.

System Specification:

Victim – Windows XP SP2 [IP: 192.168.24.131]

Attacker – Kali Linux 2.0 [IP: 192.168.24.133 PORT: 4444]

Success Criteria: Following two conditions are mandatory for exploiting file upload vulnerability –

  1. Attacker can upload any file (including .php, .asp, .aspx etc)
  2. Attacker can access uploaded file.

Tools used:

  1. Metasploit
  2. Msfvenom

Prerequisite Knowledge:

  1. What is web shell and how it works? [Please google it]
  2. Metasploit listener payload [exploit/multi/handler]

Step:

  1. Generate a web shell using msfvenom. msfvenom comes with metasploit framework.

1

The given command will generate an Raw script that will be named “prasenjitkantipaul.php” and when this php will be triggered it will sent back the connection to the attacker IP (i.e: 192.168.24.133 in 4444 port)

  1. Location of malicious php

2

  1. Set DVWA security to “LOW” for this exploitation PoC.

3

  1. File Upload option

4

  1. File uploaded successfully without checking its file type.

5

  1. Set listener in attacker’s side to grab the connection what will be sent from victim.

6

  1. Accessing the file

7

  1. Let’s see, after trying to access our malicious shell what is happening to our listener.

8

We successfully compromise victim’s machine using our php web shell.

 

OS Command Injection to Meterpreter

Definition: Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

DEMO:

Victim Machine: Here victim is a server (WinXP SP2), hosting DVWA where OS Command Injection is there in “LOW” Security.

OS: Win XP SP2

IP: 192.168.0.102

Web APP: Damn Vulnerable Web Application (DVWA)

1

Attacker Machine:

IP: 192.168.0.104

OS: BackBox 4.7

Browser: Mozilla Firefox

Tool: Commix ([comm] and [i]njection e[x]ploiter)Tamper Data (Mozilla Add-ons)

 

Steps:

  1. First of all we need to find the Injection Point and Cookie for DVWA Command Injection. Tamper Data has been used for this purpose.

2

  1. After finding Cookie and Injection point, We have to run commix from terminal.

3

  1. After successful injection by commix it will ask for pseudo shell and we will choose that to interact with the victim.

4

  1. Before proceed further, we need to create python based reverse tcp listener in metasploit.

5

  1. Let’s continue with commix’s option. We have to select python based reverse shell at the end and provide LHOST and LPORT.

6

  1. After selecting Python based Meterpreter payload a reverse tcp connection will be made with our metasploit listener.

7

References:

  1. https://www.owasp.org/index.php/Command_Injection
  2. http://www.dvwa.co.uk/
  3. https://github.com/commixproject/commix
  4. https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
  5. https://backbox.org
  6. https://portswigger.net/KnowledgeBase/issues/Details/00100100_OScommandinjection

 

SQL Injection to Meterpreter

Goal: By exploiting SQL Injection vulnerability fully compromise the victim server and get reverse shell (Meterpreter) using SQLMap.

Victim System: Damn Vulnerable Web App (DVWA) is installed in Windows XP for creating such virtual lab. IP: 192.168.24.131

Attacker System: Kali Linux 2.0 [Python 2.7, SQLMap and Metasploit installed by default]. IP: 192.168.24.129

Tools:

SQLMap: sqlmap is a python based open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections. For any quires: http://sqlmap.org/

Meterpreter: Meterpreter is a payload (shell) of Metasploit. After successful exploitation Meterpreter shell will give you command line access to victims system. Using Meterpreter you can do whatever you want to do. For any quires: https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/

Process:

1

FIG 1: Login to DVWA for SQLi [admin:password]

2

FIG 2: Set Security Update as “Low”

3

FIG 3: Setting Burp Proxy to analyze the response

4

FIG 4: Random check by using value “1”

5

FIG 5: Putting a Single Quote in GET parameter “ID” causing an DB error

6

FIG 6: Analyze the response and find the session cookie

7

FIG 7: SQLMap command to exploit SQLi and get the DB

8

FIG 8: Got the DBs | SQLi Proved

9

FIG 9: SQLMap Command to gain system level access

10

FIG 10: Some options that we have to choose

11

FIG 11: Successfully injecting payload to victim’s server

12

FIG 12: Bingoooo!!!! We pwned the system with Meterpreter