Exploiting Port 80 – PHP
Navigating to the root of the web server, you will see some vulnerable web applications, along with the msfadmin account details which you got earlier with Telnet.
The Mutillidae and the DVWA web applications are outside the scope of this post because this is mostly focused on host-based exploitation. However, you can use easily exploit the other web applications to get a shell.
Exploiting PHP using Metasploit
You know port 80 is open so you type the IP address of Metasploitable 2 in our browser and notice that it is running PHP. If you dig a little further you will find which version of PHP is running and also that it is being run as a CGI.
When running as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability.
Search and use the appropriate MSF module to get a shell.
Exploiting Port 80 - TWiki
TWiki is a Perl-based structured wiki application, typically used to run a collaboration platform, knowledge or document management system, a knowledge base, or team portal. Users can create wiki pages using the TWiki Markup Language, and developers can extend wiki application functionality with plugin.
Exploiting TWiki using Metasploit
The OpenVAS scan certainly revealed that the TWiki web application is vulnerable to remote code execution. There are some exploits available in MSF for this application.
Both twiki_history and twiki_search are supposed to work flawlessly but that does not appear to be the case.
Confusing, but the session is created.
The other one refuses to create a session…
Exploiting Port 80 - WebDAV
WebDAV stands for Web Distributed Authoring and Versioning. The WebDAV protocol provides a framework for users to create, change and move documents on a server, typically a web server or web share. WebDAV is exploitable in many different ways.
Exploiting WebDAV using Davtest
You can test out DAV using the davtest command line utility. To scan a WebDAV server using the program just specify the URL:
From the davtest scan, you saw a bunch of actions failed. I guess that means you need credentials to do anything. Or maybe you need a better tool…
Exploiting WebDAV using Cadaver
Cadaver is a utility for dealing with WebDAV systems on the command line. With cadaver, we can connect to the DAV server directly. It turns out this method does not require credentials. Once we type the cadaver command to connect to the server, we're immediately connected. Once connected you can issue a number of different commands.
What this means is, you have access to the WebDAV directory, therefore you can create files. Namely, you can upload web shells to the WebDAV server.
Web shells are the scripts which are coded in many languages like PHP, Python, ASP, Perl and so on which further use as backdoor for illegitimate access in any server by uploading it on a web server. The attacker can then directly perform the read and write operation once the backdoor is uploaded to a destination, you can edit any file of delete the server file.
Kali Linux has inbuilt web shells PHP scripts. They are stored inside /usr/share/webshells/php and a pentester can make use of them without wasting time in writing PHP code for the malicious script.
You can take advantage of these scripts to get a remote shell. You start by uploading the script to the server using cadaver.
Upload the simple-backdoor script:
Then you execute the script on the web browser.
The script is now ready to execute commands
Try using a different script (php-backdoor)
This script will give you true web shell to perform a number of tasks:
Run a command:
Try a different script (qsd-php-backdoor):
And you will get an even better web shell:
You can also create a reverse shell but for that you need to edit the script in order to adjust the settings to your needs. Namely, you will need to insert the IP address of your attacker machine so that the victim knows where to send the shell.
Edit the php-reverse-shell.php file and make the necessary changes:
Now put the script on the server with cadaver, start a Netcat listener, and open the script with the web browser as before:
And you will get a shell:
Exploiting WebDAV using Metasploit
To check for WebDAV, you can use a couple of different modules:
Wrong results…
Also, not very useful…
Nothing…
But if you manage to find a writable directory, you can use it to get a remote shell.
Creating a payload with MSFVenom
The msfvenom utility can be used to generate a reverse TCP shell in a PHP script. Basically, here's what you specify with msfvenom:
- LHOST - This is the machine that you want your target machine to try and connect to. This must be the publicly-visible (or at least visible to the target) IP of your attacker machine.
- LPORT - this is the port number that you want the target machine to connect to. The attacker machine must have this port open, for the target to connect to it.
In this case, 172.16.1.6 is the IP of the attacker machine and 4444 the listener port on the attacker.
Now use cadaver to connect and put the PHP shell onto the web server:
Now start a Metasploit listener using the proper MSF module and choosing the proper payload:
This will wait for the reverse connection from the target machine.
The final step is to execute the PHP file. Click the PHP file or visit its URL in the browser.
This will execute the PHP code, create a shell, and open a connection to your Metasploit console.
Exploiting Port 80 - Apache Server
This chapter will cover techniques for exploiting the Metasploitable Apache server (running Apache 2.2.8). It will start with some general techniques (working for most web servers), then move to the Apache-specific.
This will also ignore the Tomcat server - we'll get to that later.
Exploiting Apache Server using Metasploit
Let’s try some MSF modules:
The files_dir module checks for the presence of any interesting files on the web server. By default, it uses a dictionary list that comes with Metasploit (/usr/share/metasploit-framework/data/wmap/wmap_files.txt) but you can also use your own.
Some directories return the HTTP code 301 (Moved Permanently).
Telnet to explore the 301s
If we use telnet to connect to port 80 and send a GET request for a resource that returns a 301, we can see more information:
Connect to port 80 and type out a GET request, with the location being requested, and specify the host (then press ENTER to make a new line):
You will get a phpMyAdmin page that looks like it has lots of information that could be fuzzed. However, fuzzing the phpMyAdmin login page (and attacking vulnerabilities in phpMyAdmin itself) will launch you into a whole new set of tools and concepts, so we'll leave that for some other time.
Try some other MSF modules:
Funny, it doesn’t even show the previously found directories
This next one will find some additional directories
There are many Apache-specific modules and that makes it difficult to figure out where to begin. Take a look at Legion/Nikto scan results and you’ll see the following vulnerability:
Load the Metasploit module to scan for this vulnerability:
Running it confirms that the Apache web server is vulnerable (IP addresses of vulnerable web servers are printed out).
Now load the other auxiliary module to try to take advantage of the vulnerability:
In this case, nothing happens confirming what you have found before; the index.php is the only file available on this Apache server.
No comments:
Post a Comment