File Upload Exploitation in bWAPP (Bypass All Security)

In this article you will learn how to bypass all three security level of unrestricted file upload inside the bWAPP and if you want to know more about the various kind of file uploading vulnerability read previous article that may help you to understand this article more clearly.

LOW SECURITY

Open the target IP in browser: 192.168.0.106/bWAPP/login.php. Enter user and password as bee and bug respectively.


Set security level low, from list box chooses your bug select Unrestricted File Upload now and click on hack.


Create PHP backdoor using msfvenom and start multi handler in the background; now from screenshot you can see I have browse meter.php for uploading as an image inside the web server.


When the image gets successfully uploaded on the web server it will send the link of directory where image is saved to view the uploaded image. Since we haven’t upload any real image therefore we will try to execute our PHP backdoor by making click on the link “here”.


When victim click the above link “here” we will get victim’s reverse connection through meterpreter session inside the metasploit framework.
From screenshot you can see metasploit session 1 is opened.


MEDIUM SECURITY

As the level of security is change so here we cannot able to perform same procedure as above. Although here you just need to change only the extension of your PHP backdoor to bypass medium security. If you notice the image given below here you will find that I have browse meter.php3 for uploading

Now repeat the same step run multi handler at background and make click on the given link “here” to receive metrpreter session.


GREAT!!! From screenshot you can see metasploit session 2 is opened


HIGH SECURITY
Now we have enter into high security where above two file uploading attack will get failed so here again you need to make some small changes  into the extension of PHP backdoor file for uploading it in the web server.
From screenshot you can read the file name high.php.png which I have browse for uploading.


Here our file is successfully uploaded now make right click on the link “here” to copy link location and keep multi handler running at the background.


To bypass high security of file uploading in bWAPP we need to switch the bug as well as security level.
Set security level low and choose the bug remote & local file Inclusion then click on hack.

Here the requested web page which suffering from RFI & LFI Vulnerability gets open. Where you will find a comment to select a language from the given drop down list, and when you click on go button the selected language file get included in URL.

 Since I have uploaded the PHP backdoor shell in high security but execute that backdoor through low security with help of LFI vulnerability. Now just manipulate the following URL as shown in screenshot.

http://192.168.0.106/bWAPP/rlfi.php?language=lang_en.php&action=go into 192.168.0.106/bWAPP/rlfi.php?language=images/high.php.png


When above URL is executed in the browser you will get victim’s reverse connection inside metasploit.
Congrats!!! From screenshot you can see metasploit session 3 is opened.
Hence we have bypassed all three security level inside bWAPP

0 comments:

Post a Comment