Web Shells Penetration Testing

This post will describe the various PHP web Shell uploading technique to take unauthorized access of the webserver by injecting a malicious piece of code that are written in PHP.

Table of Content

  • Introduction of PHP Web shells
  • Inbuilt Kali’s web shells
    • simple backdoor.php
    • qsd-php backdoor web shell
    • php-reverse-shell.php
  • Using MSF venom
  • Weevely php web shell
  • PHP_bash web shell

Requirements

Attacker: Kali Linux

Target: Web for Pentester, DVWA

Introduction of PHP Web Shells

Web shells are the scripts which are coded in many languages like PHP, Python, ASP, Perl and so on which further use as backdoor for illegitimate access in any server by uploading it on a web server.

The attacker can then directly perform the read and write operation once the backdoor is uploaded to a destination, you can edit any file of delete the server file. Today we are going to explore all kinds of php web shells what-so-ever are available in Kali Linux and so on. So, let’s get started.

Kali Linux has inbuilt PHP Scripts for utilizing them as a backdoor to assist Pen-testing work. They are stored inside /usr/share/webshells/php and a pen-tester can directory make use of them without wasting time in writing PHP code for the malicious script.

  • simple backdoor.php
  • qsd-php backdoor web shell
  • php-reverse-shell.php

Simplebackdoor.php shell

Simple-backdoor.php is a kind of web shell that can generate a remote code execution once injected in the web server and script made by “John Troon”. It is already accessible in Kali in the/usr/share/web shells/php folder as shown in the pic below and after that, we will run ls -al command to check the permissions given to the files.

Now you must discover a way to upload a shell in your application. As we have to do all this Web for Pentesters, so we will first try to upload here simple backdoor php shell which is already available in kali and click on send the file to upload the shell.

As you can see, we have successfully uploaded the malicious php file and received the hyperlink for the uploaded file.

Thus, we try to access simple-backdoor.php and obtain the following output. As we can observe that here “cmd=cat+/etc/passwd” is a clear indication for Remote code execution.

 

So, let’s try and run cat+/etc/passwd to retrieve all the passwords of the server.

As a result, we have extracted all records of passwd file, hence we can execute any command such as ls, cp and so on therefore we can obtain web shell by exploiting REC.

 

qsd-php backdoor shell

An exploit of a web shell generally considered as a backdoor that enables an attacker to access and control a server remotely and the qsd-php backdoor shell is a kind of backdoor which provides a platform for executing system command and the wonderful script made by “Daniel Berliner”.

As you can see, we have uploaded the qsd-php-backdoor.php file successfully.

Then try accessing qsd-php-backdoor.php as you did in the previous step and you will find something as shown in the image below. Here you can perform directory traversal and you can also access the Web Server directory directly by entering the command and clicking on the go button.

As you can observe we have accessed the current directory directly without executing any system command.

We can also execute arbitrary system command since this backdoor provides a platform to execute the shell command such cat/etc/passwd, ls -al and much more. We can also run two commands simultaneously and see the result.

As you can see that we have got the result successfully.

PHP-reverse shell

Now its turn to move towards our next php web shell which is php-reverse-shell.php which will open an outbound TCP connection from the webserver to a host and script made by “pentestmonkey”. A shell will be attached to the TCP connection (reverse TCP connection). You can run interactive programs such as telnet, ssh etc with this script. It is different from the other Web shells script, through which you can send a single command and then return the output.

For this, we need to open this script through nano

Here we need to give the LISTEN_IP (Kali Linux) where we want the connection and LISTEN_PORT number can be set any.

 Now we need to upload this web shell in order to get the reverse connection. So, we will upload the malicious file and on the other hand start netcat listener inside a new terminal.

We can see that it is uploaded successfully.

Now as soon as you will execute the uploaded file and If all went well, then, the webserver should have thrown back a reverse shell to your netcat listener. And you can verify that we have got the shell successfully.

PHP Backdoor using MSFvenom 

We can also generate a php web shell with the help of msfvenom. We, therefore, write use msfvenom following command for generating malicious php code in raw format.

Then copy the code and save it by the name of meter.php

Now we will upload this malicious shell in DVWA lab to get the reverse connection. Now you can see the “meter.php successfully uploaded” message from the screenshot, meaning that our php backdoor is effectively uploaded.

In order to execute the shell, we will open the URL of DVWA.

Simultaneously we will start multi handler where we will get the meterpreter shell and we will run the following commands where we need to specify the lhost and lport to get the reverse connection.

As soon as you will explore the uploaded path and execute the backdoor, it will give you a meterpreter session.

Weevely Shell

Weevely is a stealthy PHP internet shell which simulates the link to Telnet and is designed for remote server administration and penetration testing. It can be used as a stealth backdoor a web shell to manage legit web accounts, it is an essential tool for web application post-exploitation. We can generate a PHP backdoor protected with the password.

Open the terminal and type weevely to generate a php backdoor and also set a password as in our case we have taken “raj123” and save this web shell as weevely.php

Now upload this web shell at the target location as in our case we have uploaded it at Web for pen testers and we will open the URL in the browser to execute the web shell.

Type the following instruction to initiate the webserver attack and put a copied URL into the Weevely command using password raj123 and you can see that we have got the victim shell through weevely. We can verify this by id command.

You can also check all the functionality of weevely through help command.

PHPbash shell

Phpbash is an internet shell that is autonomous, semi-interactive. We are going to download it from GitHub and then we will go inside the directory phpbash and execute ls -al command to check the available files.

So inside phpbash, we found a php script named “phpbash.php”, upload this script at your target location.

Now we will upload this web shell in DVWA lab and we can see the message that it is uploaded successfully.

Going ahead; we will open the URL to execute the shell.

Here our phpbash malicious file is executed and given the web shell. The benefit of the phpbash is that it doesn’t require any type of listener such as netcat because it has inbuilt bash shell that you can observe from the given image.

As a result, we have bash shell of www-data and we can execute system command directly through this platform.

So, this way we have explored and performed numerous ways to get the web shell through php web shells; which you can find under this single article.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here

Configure Web Application Penetration Testing Lab

As you know that we have already shown you how to configure web server. Now it’s time to move on to the next step which is the configuration of Web Application in Ubuntu 18. So today we will be learning how can we configure the 5 famous web applications (DVWA, bwapp, XVWA, SQLI, Mutillidae) in our web server for Web Penetration Testing. So, let’s do that.

Table of Content

  • Requirement
  • Web application
  • DVWA
  • bWAPP
  • XVWA
  • Sqli
  • Mutillidae

Requirement-Ubuntu 18.0

Web Application

A web application is a computer program that utilizes web browsers and web technology to perform tasks over the Internet. Web apps can be built for a wider uses which can be used by anyone; from an enterprise to an entity for a variety of reasons. Frequently used Web applications can include webmail.

DVWA

Let’s start You should download and configure this web application only within the html directory for all web applications in the browser through localhost. Go to your Ubuntu terminal and move inside html directory by running the following command and then download dvwa lab from the given link.

After the installation we will go inside the dvwa and there we will find a config folder, now we will move inside the config folder and there we will run the ls command to view all available folder, now, here you will see a config.inc.php.dist file. Now as you can see, we have moved config.inc.php.dist file to config.inc.php

Now open the config file using nano; where you will find that db user is root and db password is password.

Here you need to make the changes and give access to the Ubuntu user as in our case we have written raj as db user and as our ubuntu password is 123 so we have written 123 as db password.

Now we will try to open dvwa lab in the browser by the following URL and click on Create/Reset Database

Good! We have successfully configured the dvwa lab in ubuntu 18 as we can see that we are welcomed by the login page.

For login, we will use the dvwa username which is admin and password which is dvwa password by default.

bWAPP

A buggy web application that is purposely unsafe. Enthusiasts of security, system engineers, developers can find out about Web vulnerabilities and prevent them.

bWAPP prepares you for successful tests and penetration testing. Now we will configure bWAPP lab in Ubuntu 18. First, we will download bWAPP and then we will move inside the Downloads folder and then unzip the bWAPP file by the following command-

Now we will move bWAPP into var/www/html by the following command-

Now we will edit the config file; so, move inside the config file by the following command and where you can see that db username is root and db password is bug b default.

Now we will make some changes and will set our ubuntu user raj in place of root and set password 123 in place of bug. Save it and then exit the config file.

Now go to your browser and open bWAPP installation file by the following command and click on here as shown in the image below

Now you will get a login page of bWAPP where we will use the default username which is bee and default password which is bug and you are logged in in bWAPP.

Now you can start working on bWAPP.

When you will login as bee:bug; you will get the portal to test your penetration testing skill.

XVWA

XVWA is poorly coded written in PHP/MYSQL web application that helps security lovers learn security from applications. This application is not advisable online because it is Vulnerable to extremes as the name also suggests. This application should be hosted in a controlled and safe environment where you can improve your skills with the tool of your choice. So, let’s start-

First, we will download XVWA from GitHub; so, go to ubuntu terminal and open the following link to download XVWA lab inside html directory by the following link-

Once it is downloaded, we will open the config file of xvwa by the following command

Now we can see that the username of xvwa is root and password is left blank.

Now we will remove the root user from here and we will be using the ubuntu username and password here which is raj:123

Afterwards, we will save the file and exit.

Now browse web application through URL-localhost/xvwa and we can see that we are successfully logged in-

SQLI Labs

A laboratory that offers a complete test environment for those interested in acquiring or improving SQL injection skills. Let’s start. First, we will download SQLI lab inside html directory by the following link-

 Once the download is done, we will move sqli labs into the /var/www/html directory and rename it to sqli. Then go inside the sqli directory where we will find /sqli-connections directory. Here we will run ls command to check the files and we can see that here is file by the name of db-creds.inc

we need to make some changes in the config file by the following command-

As we can see that username is given root and password is left blank which we need to modify.

Now here we will set the username and password as raj:123 Now save the file and exit.

Now browse this web application from through this URL: localhost/sqli and click on Setup/reset Databases for labs.

Now the sqli lab is ready to use.

Now a page will open up in your browser which is an indication that we can access different kinds of Sqli challenges

Click on lesson 1 and start the Sqli challenge.

Mutillidae

OWASP Mutillidae is a free open source purposely vulnerable web application providing an enthusiastic goal for web security. It’s a laboratory which provides a complete test environment for those who are interested in SQL injection acquisition or improvement. This is an easy-to-use Web hacking environment designed for laboratories, security lovers, classrooms, CTFs, and vulnerability assessment targets, and has dozens of vulnerabilities and tips to help the user.

So, let’s start by downloading by the clicking on the following link given below-

After the downloading, go inside the Mutillidae directory and where you will find a directory /includes, go inside this directory.

Inside this directory, we will find database-config.inc file which we need to open by nano command as shown in the image below.

Now here you will find that username is root and password is Mutillidae, by default and which we need to change.

Now we will use our ubuntu username and password which is raj:123. Save the changes and then exit

Now we will open this our local browser by the following URL: localhost/mutillidae where we will find an option of reset database. Just click on it to reset the database.

Now you will be redirected to a page which will ask you to click ok to proceed. Here you need to click on ok and you are done with the configuration of the Mutillidae lab.

So, In this way, we can setup our vulnerable web application lab for penetration testing.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here

Payload Processing Rule in Burp suite (Part 2)

Today we are going to discuss “Payload Encoding” option followed by payload processing of Burpsuite which is advanced functionality comes under Intruder Tab for making brute force attack.

Payload Encode

The processing rule can be used to encode the payload using various schemes such as URL, HTML, Base64, ASCII hex or constructed strings.

Let’s start!!

First, we have intercepted the request of the login page of the router by giving its default IP which is 192.168.1.1, where we have given an invalid username and password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Thus the sent request will be captured by burp suite which you can see in the given below image. In the screenshot, I had highlighted some value in the last line. Here it tells the type of authentication provided by the router is basic and if you have read above theory of basic authentication I had described that it is encoded in base 64

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of the window frame.
  • Now select the encoded value of authentication for payload position and click to ADD button on the left side of the frame.
  • Choose the Attack type as

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

The base64 encoded value of Authentication is a combination of username and password now the scenario is to generate the same encoded value of authentication with help of user password dictionary, therefore I have made a dictionary.

Before executing the attack we have added a payload processing rule to the payload type which is Encode and we have selected “Base64 encode” scheme because we know router takes the value in Base64.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because this will start brute force attack and try to match string for user authentication. In the screenshot, you can the status and length of the highlighted value is different from the rest of the values. This means we can use this encoded value to bypass the user authentication which occurs from request number 10. Now check the username and password of 10th line in the dictionary. 

And to confirm the username and password matched, we will give the password in the Router’s Login Page, which will successfully log us into the Router’s Configuration Page. This shows our success in the attack as shown in the image.

Decode

This processing rule can be used to decode the payload using various schemes: URL, HTML, Base64 or ASCII hex. As we know decoding is nothing but reversing the encoding. It can be used in the opposite way in which encoding is carried out.

Hash

This processing rule can be used to carry out a hashing operation on the payload. There are 7 types of hashing algorithms are available in this payload processing rule which is as follows:

  • SHA-384
  • SHA-224
  • SHA-256
  • MD5
  • MD2
  • SHA
  • SHA-512

First, we have intercepted the request of the Redirection Link designed to find redirection vulnerabilities in the LAB created by us and in the hash value of the URL we have given a wrong hash value of HTTP://www.google.com in place of the actual hash value of the HTTP://www.hackingarticles.in in the URL of the redirecting page. We have simply clicked on the Redirection link as shown in the image; the burp suite will capture the request of the redirecting page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of the window frame.
  • Now we will select the fields where we want to attack which is the hash value of the redirecting page and then click on the Add button.
  • Choose the Attack type as a sniper.

Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

Before executing the attack we have added a payload processing rule to the payload type which is Hash and then we have selected MD5 which is a commonly used algorithm for converting URL of the websites into a Hash MD5 value. As you can see the input strings of the dictionary are in a simple text form, but this processing rule converts it into Hash MD5 values which can be seen in result window of the attack.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the Hash MD5 of the Redirecting Page which will give you the correct MD5 value. The moment it will find the correct value, it will change the value of length as shown in the image.

The Hash MD5 value, we will give the Hash value in the URL of the redirecting page which is HTTP://www.hackingarticles.in, which will successfully redirect us to HTTP://www.hackingarticles.in. This shows our success in the attack as shown in the image.

Add Raw Payload

This processing rule can be used to add raw payload value before or after the current processed value. For example, it can come in handy whenever we want to submit the same payload in both raw and hashed form.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by right-clicking on the space and selecting Send to Intruder option or simply press Ctrl + i. Now open the Intruder tab then select Positions tab and the following will be visible. Choose the Attack type as Sniper. Press on the Clear button as shown in the image. Now we will select the fields where we want to attack which is the password and click on Add button.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of the window frame.
  • Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
  • Choose the Attack type as
  • In the given below image, we have selected a password that means we will need one dictionary files for a password.

Before executing the attack we have added a payload processing rule to the payload type which is Add Raw Payload and then we have selected Append Pre-processed Payload. This adds a raw payload value before and after the current processed value. As you can see the input strings of the dictionary as a single input string is repeated twice which can be seen in result window of the attack.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

And to confirm the password matched, we will give the password in the Bwapp LAB login page, which will successfully log us into the Bwapp lab. This shows our success in the attack as shown in the image.

Skip if Matches Regex

This processing rule can be used to check the current processed value matches a specified regular expression, and if it matches it will skip the payload and will move onto the next one. For example, Suppose we have a parameter value that has a minimum length and want to skip values in the list that are shorter than the minimum length defined.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of the window frame.
  • Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
  • Choose the Attack type as
  • In the given below image, we have selected a password that means we will need one dictionary files for a password.

Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

Before executing the attack we have added a payload processing rule to the payload type which is Skip if Matches Regex where we have given an input of {@} in the match regex field. Here we see that as per this rule if the input is given matches with any of the input strings in the dictionary it simply skip that value and move on to next.

Now Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

Author: Ashray Gupta is a Researcher and Technical Writer at Hacking ArticlesHe is a certified ethical hacker, web penetration tester and a researcher in nanotechnology. Contact Here

Engagement Tools Tutorial in Burp suite

Today we are going to discuss the Importance of Engagement tools which is a Pro-only feature of Burp Suite. It is mainly used in information gathering and hence the analysis of any web application testing.

Its four important utilities are the following:

  • Find References
  • Discover Content
  • Schedule Task
  • Generate CSRF POC

Find References

This function can be used to search all Burp suite tools for HTTP responses that link to a particular item. To make use of this function, select an HTTP request anywhere in Burp suite, or any part of the site map, and choose “Find references” in “Engagement tools” in the context menu which can be seen clicking Action Tab within Burp suite.

The result window of the search shows responses (from all Burp tools) that are linked to the selected item. Whenever we view an individual search result, the response will be automatically highlighted to show where the linking reference is occurring.

This function treats the original URL as a Prefix whenever we search for links, so if you select a host, you will find all references related to the host and if you select a folder, you will find all references to items inside that folder.

First, we have intercepted the request of the Vulnweb.com which is a demo lab available over the internet which can be used for testing attacks. Then click on enter after writing the URL of the Vulnerable Web in your browser, then the burp suite will capture the request of the web page in the intercept tab.

Then click on Action Tab, after that select the Engagement tools then click on Find References. This will open a result window which will show all the references related to the URL whose request has been captured which is the Vulnerable Web as shown in the image.

Discover Content

This function is used to discover contents and functionality which are not linked with visible content that you can browse or spider.

There are various techniques that the burp suite uses to discover content, which includes name guessing, web spidering, and extrapolation from naming conventions observed within the use of an application.

Control

This tab shows you the current status of the session. The toggle button represents whether the session is running or not, and it also allows you to pause and restart the session.

The following information is displayed about the progress of the discovery session:

  • Number of requests made
  • Number of bytes transferred in server responses
  • Number of network errors
  • Number of discovery tasks queued
  • Number of spider requests queued
  • Number of responses queued for analysis

Target

This option allows you to define or state the start directory of the content discovery session, and whether the files or directories should be targeted. The options that are available are as follows:

  • Start directory – This is the location where Burp suite is used to look for content. The items within this path and sub-directories are requested during the session.
  • Discover – This option can be used to determine whether the session will look for files or directories or both.

Site Map

The discovery session uses their own site map, showing all of the content which has been discovered within the defined scope. If you have configured your Burp suite to do so, newly discovered items can be added to Burp suite’s main site map.

First, we have intercepted the request of the Vulnweb.com which is a demo lab available over the internet which can be used for testing attacks. Then click on enter after writing the URL of the Vulnerable Web in your browser, then the burp suite will capture the request of the web page in the intercept tab.

Then click on Action Tab within the Burp suite, after that select the Engagement tools then click on Content Discovery. This will open a result window which will show the discovery session status and queued tasks which are related to the URL whose request has been captured which is the Vulnerable Web as shown in the image.

Schedule Task

This function can be used to automatically start and stop certain tasks at defined times and intervals. We can use the task scheduler to start and stop certain automated tasks while you are not working, and to save your work periodically or at a specific time.

To make use of this function, select an HTTP request anywhere in Burp suite, or any part of the target site map, and choose “Schedule task” within “Engagement tools” in the context menu which can be seen by clicking right within Burp suite.

The types of task that are available within this function are as follows:

  • Scan from a URL
  • Pause active scanning
  • Resume active scanning
  • Spider from a URL
  • Pause spidering
  • Resume spidering
  • Save state

First, we have intercepted the request of the vulnweb.com which is a demo lab available over the internet which can be used for testing attacks. Then click on enter after writing the URL of the Vulnerable Web in your browser, then the burp suite will capture the request of the web page in the intercept tab.

Then click on Action Tab within the Burp suite, after that select the Engagement tools then click on Schedule Task. This will open a window of schedule task options where we have selected Scan from a URL option as shown in the image.

Then Click Next a window will open where we have to give the URL we want to scan its branches from the site map.

Then Click Next we see that the scanner tab of the burp suite is open which scans all the branches beneath the site map of the given URL which is seen in the scan queue tab as shown in the image which is related to the URL whose request has been captured which is the Vulnerable Web as shown in the image.

Generate CSRF PoC

This function can be used to generate a proof-of-concept (PoC) cross-site request forgery (CSRF) attack for any given request.

To access this function, select a URL or HTTP request anywhere in the Burp suite, and choose “Generate CSRF PoC” within “Engagement tools” in the context menu which can be seen by clicking right within Burp suite.

Let’s start!!

First, we have intercepted the request of the CSRF (transfer amount) option in the Bwapp LAB, where we have given an Account Number.

Then click on transfer, the burp suite will capture the request of the page in the intercept tab.

Then click on Action Tab within the Burp suite, after that select the Engagement tools then click on Generate CSRF PoC. This will open a window of the CSRF PoC where we made a change in Account value and Amount value in CSRF HTML code as shown in the image.

After making changes in the values click on Test in Browser option or Copy HTML this will open the window of Show response in the browser then click on COPY, and then paste it in the Browser and Press Enter as shown in the image.

We see a Submit request Button is seen in the browser after that click on it.

It appears to us that the amount is reduced as we have transferred the amount from the account by making changes in the CSRF HTML code as shown in the image.

Author: Ashray Gupta is a Researcher and Technical Writer at Hacking ArticlesHe is a certified ethical hacker, web penetration tester and a researcher in nanotechnology. Contact Here