Friday, April 13, 2018

Command Injection (IV): Webshell -> Msfvenom / Meterpreter

Command Injection (IV): Webshell  -> Msfvenom / Meterpreter

- Layout for this exercise:

- This exercise is based on the previous one:

- The goal of this exercise is to achieve a meterpreter session by injecting a PHP webshell through the attacker's URL browser.

- First of all, let's have a look at options of the reverse_tcp, available with Metasploit:

- The only option required is LHOST, corresponding to the attacker's IP.

- Based on this payload, msfvenom generates the webshell pm.php:

- Opening the file, there are a couple of characters /* that must be removed to make the PHP script executable:

- At the attacker's side, let's open a SimpleHTTPServer listening on port 8000:

- Now, it is time to launch the attack using the wget command with -O indicating the folder where to allocate the output, in this case the folder /tmp.

- Why the folder /tmp? because it is a usual writable folder in most systems, what helps to bypass the problem of finding a writable area of memory where to store our malicious webshell pm.php:

- At the attacker's side, the successful transaction is registered:

- Also, the attacker Kali can check that this phase of the attack goes well, locating the transferred webshell pm.php at the folder /tmp:

 - Before running the webshell, let's open a listening session at the attacker's side (IP on port 4444) with a Metasploit handler:

- Finally, executing the webshell pm.php with the command php -f:

- The attack is successful because a meterpreter session is immediately achieved as a consequence of running the webshell:

Thursday, April 12, 2018

Command Injection (III): Webshell -> php-backdoor.php

- Layout for this exercise:

- This exercise is based on the previous one:

- In this exercise let's assume the most simple scenario, where the web server folder at the Ubuntu victim machine is readable, while in other exercises we study more complex scenarios:

- Starting XAMPP at Ubuntu:

- Also, let's check that ci.php is present at the victim side:

- ci.php is accessible from the attacker Kali Linux via web:

- Now, going to /user/share/webshells, Kali has got a bunch of prepared webshells to be used as attacking tools for different languages:

- Going to the php folder we find php-backdoor.php:

- Setting a simple HTTP server at the attacker's side:

- Checking that the wget command is available at the victim side:

- Now, the wget command is injected crafting the URL at Kali's browser (notice that is Kali's IP):

- The transaction is successful, because php-backdoor.php is now present at the victim side:

- The simple HTTP server at Kali records the successful transaction:

- Finally, executing php-backdoor.php remotely via the browser is easy.

- Let's notice that there are several attacking options available, for instance uploading files , traversing paths, and also executing SQL injections:

- For instance, traversing to folders where comprimising files are present:

- Also, other malicious files could be uploaded, even setting the destination folder:

- The attack is successful because the malicious file has been uploaded to the victim by injecting commands to the attacker's browser:

Command Injection (II): Reverse shell connection with NetCat


- Layout for this exercise:

- This exercise is based on the previous one:

- Now, the goal is to perform a Command Injection attack from the web browser of the attacker Kali Linux against a victim Metasplotaible, injecting NetCat commands:

Three of the most interesting characteristics of this attack are:

  • No file is uploaded to the victim so the detection rate would be low
  • No need of writable permissions over the web server folder on the victim's side 
  • The tool (NetCat) is usually present in most of the Linux/Windows machines

- First, let check that ci.php (allows Command Injection due to lack of input sanitization, as seen at previous exercise) is available at the victim side Metasploitable's web server folder /var/www:

- From Kali:

- NetCat (nc) has two options (-c and -e), considered dangerous by the program itself, that execute commands remotely:

- Setting a listening session on port 4444 at the attacker side:

- Now, entering through Kali's browser the NetCat command which executes (-e) remotely a shell (/bin/bash):

- It is interesting to notice the Connecting notification, meaning it is waiting to the connection at the other side:

 - Finally the attacker Kali achieves a reverse shell connection from the Metasploitable victim's side:

Wednesday, April 11, 2018

Command Injection (I): Attacking unsanitized PHP files


- Layout for this exercise:

1 - Command Injection attack

- The goal of this exercise is to perform a Command Injection attack from the attacker Kali Linux against the victim Ubuntu.

- Command injection is an attack in which there is an execution of arbitrary commands on the host operating system via a vulnerable application:

- Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. 

- The attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. 

- Command injection attacks are possible largely due to insufficient input validation.

2 - Unsanitized PHP file

- First of all, let's start the XAMPP server on Ubuntu:

- In this exercise we take for granted that at the victim machine's web server there is a ci.php file that is vulnerable to Command Injection due to improper input validation.

- This file can be found on the victim's web server either due to poor programming practice or due to a backdoor download by an unsuspecting user:

- Opening ci.php:

- The file is simple, it consists of just a PHP script embbeded into an HTML page. 

- The PHP script defines a comand $command and then executes it with the PHP function passthru(), useful when binary data needs to be passed directly back to a browser.

- $command is composed of two concatenated subcommands : first, ls -alh displays the content of the path passed as parameter; second, the superglobal variable $_REQUEST takes as input the non sanitized parameter 'path'

3 - Launching Command Injection attacks

- Now, from Kali let's run ci.php at the browser. The result is the path of the web server where ci.php is located:

- Changing to path=/home:

- Going to the user roch's Desktop with path=/home/roch/Desktop:

- So far, we have performed a kind of attack similar in some way to a Directory or Path Traverse attack. 

- However, using the ; separator, other commands can be concatenated from the attacker's browser, for instance ping:

- Also, the command cat can be used to open content of compromising files:

- Establishing a persistent connection with ncat

- Now let's perform a more dangerous attack by establishing a persistent connection with ncat

- Forcing remotely the server to run a listening session on port 4444 and executing a shell (-e /bin/bash):

- Let's notice that the web server starts listening for a connection:

- Finally, the attacker launches a connection to the server's IP and port 4444 what results in the remote execution of shell commands:

5 - Uploading/Downloading files from/to the attacker Kali to/from the victim Ubuntu

- As a complement of last attack, using ncat the attacker is able to upload and download files, and more types or remote interaction through the victim's shell.

5.1) Uploading files from Kali (attacker) to Ubuntu (victim)

- Crafting the URL at the attacker Kali's browser, the injected command forces the victim to listen on port 4444 the arrival of a file, what will be called webshell.php:

- Kali has got a dangerous PHP webshell script what wants to upload to the victim Ubuntu, actually to the web server htdocs folder:

- Now, Kali sends the PHP script to the victim who is listening on port 4444:

- The transaction is successful, and now the victim's web server folder has beed uploaded with a dangerous PHP script what could be used for further attacks:

5.2) Downloading files from Ubuntu (victim) to Kali (attacker)

- Preparing the attacker Kali to receive a file on port 4444 and naming it redbud.jpeg:

- Crafting the URL at the attacker's browser, the injected command forces the victim to send the .jpeg picture to the attacker who is listening on port 444::

- The transaction attack is successful:

- Launching another attack, let's prepare again the attacker to receive a text file, and naming it secret:

- Crafting the URL at the attacker's browser, the injected command forces the victim to send the text file to the attacker who is listening on port 4444:

- The transaction attack is again successful:

6 - Filtering with str_replace()

- With the purpose of sanitizing the input parameter let's rename to ci_f1.php and perform some alterations to the orignal PHP script:

- The new file uses the function str_replace() replacing ; and invalidating any command injection using that character.

- Using ci_f1.php:

- Now the character ; as a  separator is not valid any more to launch a command inject attack:

- However, alternative characters could be used to bypass this filter, so using str_replace() is not a very powerful solution, because so many characters should be banned in the same way than ;  what would make the coding task bothersome.

- For instance using the character pipe | the ping command injection attack is still successful:

7 - Filtering with escapeshellarg() / escapeshellcmd()

- The PHP function escapeshellarg() adds single quotes around a string and quotes/escapes any existing single quotes allowing to pass a string directly to a shell function and having it be treated as a single safe argument:

- This function should be used to escape individual arguments to shell functions coming from user input. 

- Altering ci.php with escapeshellarg() and renaming to ci_f2.php, the $_REQUEST['path'] function is sanitized with escapeshellarg():

- Using ci_f2.php:

- Now no Command Injection attack is successful because the input parameter is being validating correctly:

- By the way, the function escapeshellcmd() could be used in a similar way than escapeshellarg():

- escapeshellcmd() escapes any characters in a string that might be used to trick a shell command into executing arbitrary commands. 

- This function should be used to make sure that any data coming from user input is escaped before this data is passed to the exec() or system() functions, or to the backtick operator.

- Following characters are preceded by a backslash: &#;`|*?~<>^()[]{}$\, \x0A, \xFF.

- ' and " are escaped only if they are not paired.

- In Windows, all these characters plus % and ! are replaced by a space instead.